CVE-2025-66478

Name of the Vulnerable Software and Affected Versions Next.js versions 14.3.0-canary.77 through 16.0.6 React versions 19.0.0 and later

Description A critical Remote Code Execution (RCE) vulnerability (CVE-2025-66478) exists in Next.js applications utilizing the App Router and React Server Components (RSC). This vulnerability allows attackers to execute arbitrary code on the server through crafted HTTP requests. The vulnerability stems from insecure deserialization within the RSC protocol. Exploitation has been observed in the wild, with attackers deploying cryptominers and attempting to steal sensitive data. The vulnerability affects Next.js versions 14.3.0-canary.77 and later, as well as React versions 19.0.0 and later. Several reports indicate active exploitation, with attackers leveraging the vulnerability to install malicious software and compromise systems. The vulnerability is rated with a CVSS score of 10.0, indicating its critical severity.

Recommendations Upgrade Next.js to version 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. Consider using the

npx fix-react2shell-next

tool to automatically patch affected Next.js applications. If using older versions, downgrade to a stable 14.x version. Rotate all sensitive credentials, including database passwords, API keys, and environment variables. Review and lock down internal network ports and access rules. Enable a Web Application Firewall (WAF) for added protection. Ensure Docker containers are not running as root. Monitor systems for suspicious activity and potential compromise.