Here is the blog post formatted for maximum readability and impact, designed to alert developers quickly to the critical nature of this vulnerability.
Security Advisory: CVE-2025-66478 (React Server Components / Next.js)
The Next.js and React teams have disclosed a critical vulnerability in the React Server Components (RSC) protocol used by the App Router.
⚠️ Vulnerability Details
Upstream React CVE: CVE-2025-55182
Next.js Advisory CVE: CVE-2025-66478
Severity: CVSS 10.0 (Critical)
Impact: Potential Remote Code Execution (RCE) in unpatched environments
If your application was online and unpatched as of December 4th, 2025 at 1:00 PM PT, you should assume exposure and rotate your most sensitive secrets after patching.
What Happened?
A flaw in the React Server Components protocol allowed untrusted input from attacker-controlled requests to influence server-side execution paths.
Under certain conditions, an attacker could:
Send specially crafted RSC requests.
Trigger unintended code paths on the server.
Escalate this into Remote Code Execution (RCE) on the Next.js server.
The vulnerability originates in the upstream React RSC implementation and affects frameworks (like Next.js) that integrate it into their App Router.
Impacted Next.js Versions
Only applications using React Server Components with the App Router are affected.
Status | Versions |
🚨 Affected | • Next.js 15.x • Next.js 16.x • Next.js 14.3.0-canary.77 and later 14.x canary releases |
✅ Not Affected | • Next.js 13.x • Next.js 14.x stable (non-canary) • Pages Router apps • Edge Runtime apps (without vulnerable RSC path) |
Action: If you are running a production App Router app on 15.x or 16.x, you should treat this as critical and patch immediately.
Fixed Versions
The issue is fully patched in the following stable and canary releases. These versions ship a hardened React Server Components implementation that closes the RCE vector.
Stable Releases:
15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7
Canary Releases:
15.6.0-canary.58 (for 15.x canary)
16.1.0-canary.12 (for 16.x canary)
How to Patch Your Next.js App
1. Upgrade next to a Safe Version
Choose the version that matches your current line:
Bash
# 15.x stable
npm install next@15.0.5 # for 15.0.x
npm install next@15.1.9 # for 15.1.x
npm install next@15.2.6 # for 15.2.x
npm install next@15.3.6 # for 15.3.x
npm install next@15.4.8 # for 15.4.x
npm install next@15.5.7 # for 15.5.x
# 16.x stable
npm install next@16.0.7 # for 16.0.x
# Canary lines
npm install next@15.6.0-canary.58 # patched 15.x canary
npm install next@16.1.0-canary.12 # patched 16.x canary
Note:
If you are on
14.3.0-canary.77or later 14.x canary, downgrade to the latest 14.x stable:Bash
npm install next@14If you used canary builds specifically for PPR, move to:
Bash
npm install next@15.6.0-canary.58
2. Use the Automated Fix Tool
The Next.js team released an npm package to simplify upgrades. This interactive tool detects your version and applies deterministic bumps based on the advisory.
Bash
npx fix-react2shell-next⚠️ No Workarounds – Upgrade Is Required
There is no configuration-based workaround for CVE-2025-66478. Disabling individual routes or features is not sufficient. You must upgrade and redeploy.
Rotating Environment Variables and Secrets
Because this vulnerability can lead to RCE, you should assume that any secrets available to your app could have been exposed.
After upgrading and redeploying:
Identify your secrets:
Database usernames/passwords
Connection strings
API keys (Stripe, SendGrid, AWS, etc.)
JWT signing keys and OAuth client secrets
Rotate in order of criticality:
Start with database and core infrastructure credentials.
Then move to JWT signing keys / session secrets.
Finally, rotate third-party API keys.
Update & Invalidate:
Update the values in Vercel, AWS, or your .env manager.
Redeploy your app with the new values.
Revoke or delete the old keys to ensure they no longer work.
Recommended Response Plan
If your app was online and unpatched during the window of exposure:
Patch and redeploy to a fixed Next.js version immediately.
Rotate all secrets, starting with the most sensitive.
Review Logs for unusual activity (strange RSC requests, crashes, or data exports).
Document the incident (versions used, patch time, rotation time).
Communicate with stakeholders if required by policy.