CVE-2025-66478

Name of the Vulnerable Software and Affected Versions Next.js versions 14.3.0-canary.77 through 16.0.6 React versions 15.x and 16.x

Description A critical Remote Code Execution (RCE) vulnerability exists in Next.js applications utilizing the App Router, specifically affecting React Server Components (RSC). This vulnerability, identified as CVE-2025-66478 and possessing a CVSS score of 10.0, allows attackers to execute arbitrary code on the server through crafted HTTP requests. Exploitation can lead to the installation of malicious software, such as cryptominers, and potential compromise of sensitive data, including API keys and database credentials. The vulnerability stems from insecure deserialization within the RSC protocol. Several reports indicate active exploitation in the wild. The vulnerability is triggered by malformed HTTP requests targeting the RSC "Flight" protocol. A scanner and fix utility, fix-react2shell-next, have been released to aid in detection and patching. Some instances of exploitation have involved attackers gaining access to systems and installing cryptominers.

Recommendations Upgrade Next.js to version 16.0.7 or later. Upgrade React to version 19.1.2 or later. Run the npx fix-react2shell-next utility to automatically patch affected Next.js applications. If using older versions, consider downgrading to a stable 14.x version. Review and lock down internal network ports and access rules. Enable a Web Application Firewall (WAF) for added protection. Rotate all sensitive credentials, including database passwords, API keys, and environment variables. Invalidate all user sessions and force a re-login. If Docker is used, ensure containers are not running as root.