CVE-2025-66478: Critical Next.js RCE Vulnerability
CVSS Score: 10.0 (Critical) — Remote Code Execution vulnerability in React Server Components protocol.
Published: December 4, 2024 Affected: Next.js 15.x, 16.x, and 14.3.0-canary.77+ Fixed in: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
Summary
A critical vulnerability has been identified in the React Server Components (RSC) protocol. The issue allows remote code execution when processing attacker-controlled requests in unpatched environments.
This vulnerability originates in the upstream React implementation (CVE-2025-55182). This advisory tracks the downstream impact on Next.js applications using the App Router.
Impact
The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft requests that trigger unintended server execution paths, resulting in remote code execution.
Affected Versions
| Status | Versions |
|---|---|
| Affected | Next.js 15.x, 16.x |
| Affected | Next.js 14.3.0-canary.77 and later canary releases |
| Not Affected | Next.js 13.x, Next.js 14.x stable |
| Not Affected | Pages Router applications |
| Not Affected | Edge Runtime |
Required Action
Check your Next.js version
npm list next
# or
pnpm list nextUpdate to the patched version
# For 15.5.x
npm install [email protected]
# For other versions
npm install [email protected] # for 15.0.x
npm install [email protected] # for 15.1.x
npm install [email protected] # for 15.2.x
npm install [email protected] # for 15.3.x
npm install [email protected] # for 15.4.x
npm install [email protected] # for 16.0.xFor canary 14.x users
Downgrade to the latest stable 14.x release:
npm install next@14Rebuild and redeploy
npm run build
# Deploy to your hosting providerThere is no configuration option to disable the vulnerable code path. You must update to a patched version.
DjangoCFG Packages Status
All @djangocfg/* packages have been updated to require Next.js 15.5.7+:
| Package | Status |
|---|---|
@djangocfg/nextjs | Updated to ^15.5.7 |
@djangocfg/ui | Updated to ^15.5.7 |
@djangocfg/layouts | Compatible (>=15.0.0) |
@djangocfg/playground | Updated to ^15.5.7 |
Update your packages:
pnpm update @djangocfg/nextjs @djangocfg/ui @djangocfg/playgroundReferences
- Next.js Security Advisory (CVE-2025-66478)
- React Security Advisory (CVE-2025-55182)
- Next.js Upgrade Guide
Timeline
| Date | Event |
|---|---|
| Dec 4, 2024 | Vulnerability disclosed |
| Dec 4, 2024 | Patched versions released |
| Dec 4, 2024 | DjangoCFG packages updated |
Thank you to Lachlan Davidson for discovering and responsibly disclosing this vulnerability.