Skip to Content
UpdatesSecurityCVE-2025-66478: Next.js RCE

CVE-2025-66478: Critical Next.js RCE Vulnerability

CVSS Score: 10.0 (Critical) — Remote Code Execution vulnerability in React Server Components protocol.

Published: December 4, 2024 Affected: Next.js 15.x, 16.x, and 14.3.0-canary.77+ Fixed in: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Summary

A critical vulnerability has been identified in the React Server Components (RSC) protocol. The issue allows remote code execution when processing attacker-controlled requests in unpatched environments.

This vulnerability originates in the upstream React implementation (CVE-2025-55182). This advisory tracks the downstream impact on Next.js applications using the App Router.

Impact

The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft requests that trigger unintended server execution paths, resulting in remote code execution.

Affected Versions

StatusVersions
AffectedNext.js 15.x, 16.x
AffectedNext.js 14.3.0-canary.77 and later canary releases
Not AffectedNext.js 13.x, Next.js 14.x stable
Not AffectedPages Router applications
Not AffectedEdge Runtime

Required Action

Check your Next.js version

npm list next # or pnpm list next

Update to the patched version

# For 15.5.x npm install [email protected] # For other versions npm install [email protected] # for 15.0.x npm install [email protected] # for 15.1.x npm install [email protected] # for 15.2.x npm install [email protected] # for 15.3.x npm install [email protected] # for 15.4.x npm install [email protected] # for 16.0.x

For canary 14.x users

Downgrade to the latest stable 14.x release:

npm install next@14

Rebuild and redeploy

npm run build # Deploy to your hosting provider

There is no configuration option to disable the vulnerable code path. You must update to a patched version.

DjangoCFG Packages Status

All @djangocfg/* packages have been updated to require Next.js 15.5.7+:

PackageStatus
@djangocfg/nextjsUpdated to ^15.5.7
@djangocfg/uiUpdated to ^15.5.7
@djangocfg/layoutsCompatible (>=15.0.0)
@djangocfg/playgroundUpdated to ^15.5.7

Update your packages:

pnpm update @djangocfg/nextjs @djangocfg/ui @djangocfg/playground

References

Timeline

DateEvent
Dec 4, 2024Vulnerability disclosed
Dec 4, 2024Patched versions released
Dec 4, 2024DjangoCFG packages updated

Thank you to Lachlan Davidson for discovering and responsibly disclosing this vulnerability.

Last updated on