On December 3, 2025, Next.js maintainers issued a critical security advisory (CVE-2025-66478) affecting React Server Components (RSC) protocol. The flaw can lead to unauthenticated remote code execution on unpatched Next.js sites using App Router. This article breaks down the risk, affected versions, and the urgent fixes you should apply today.
On December 3, 2025, the developers of Next.js released a security advisory revealing a critical vulnerability. The flaw, tracked as CVE-2025-66478, affects how Next.js handles certain payloads in its React Server Components (RSC) — specifically via the “Flight” protocol.
Because of unsafe deserialization of attacker-controlled data sent to the server, a remote attacker — without authentication — could trigger arbitrary code execution on the server side. In simpler terms: with a crafted HTTP request, someone could make your Next.js backend run malicious code.
The vulnerability stems from an upstream flaw in React’s RSC implementation (CVE-2025-55182), which then propagates to frameworks using RSC — notably Next.js.
The severity is maximal: the advisory gives it a CVSS base score of 10.0 — meaning it’s among the worst type of security flaws (remote, unauthenticated, full-code execution risk).
If you are using Next.js with the App Router + RSC, then you are likely impacted. Specifically, these versions are vulnerable:
Next.js 15.x
Next.js 16.x
Canary releases starting from 14.3.0-canary.77 (and later canary builds)
On the other hand, the following configurations are not affected:
Next.js 13.x and stable 14.x (if not using canary build)
Projects using Pages Router (instead of App Router)
Deployments using Edge Runtime
The Next.js team has already released patched versions that address the vulnerability by hardening how RSC payloads are deserialized.
If you are using one of the vulnerable versions, you should immediately upgrade to one of the following:
npm install next@15.0.5 npm install next@15.1.9 npm install next@15.2.6 npm install next@15.3.6 npm install next@15.4.8 npm install next@15.5.7 npm install next@16.0.7
If you are on a 14.3.0-canary or newer canary build — downgrade back to the latest stable 14.x release.
npm install next@14
There’s no configuration option to disable the vulnerable code path, so updating (or downgrading) is the only safe option.
Beyond upgrading, developers should:
Audit their dependency tree to ensure no vulnerable RSC-related packages remain (e.g. react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel).
If using other frameworks or build tools bundling RSC (Vite plugin, Parcel plugin, RedwoodJS, etc.) — check upstream advisories and patch accordingly.
Consider applying additional mitigations (WAF, restricted network exposure) — at least until all dependencies are updated.
Because the vulnerability allows unauthenticated remote code execution (RCE), the consequences for unpatched Next.js applications are severe:
An attacker could execute arbitrary code — from reading or modifying sensitive data, to installing malware, or taking over the entire server.
The exploit requires only a crafted HTTP request — no login, no user interaction, no misconfiguration needed. Even default projects built with create-next-app can be vulnerable.
Exposure is widespread: many cloud-hosted apps, internal tools, or websites using Next.js + RSC are likely affected, unless proactively patched. Security firms estimate a significant share of cloud deployments still run vulnerable versions.
Given this, ignoring the update is extremely risky.
Immediately check your project’s Next.js version — if it’s in the affected range (see above), upgrade to a patched release or downgrade canary builds.
Audit all dependencies — ensure indirect dependencies (RSC libraries, plugins, frameworks) are also updated or replaced.
If you host publicly accessible services, consider deploying a Web Application Firewall (WAF) or request-filtering as mitigation until patching is confirmed. Several security vendors already rolled out rules to block known exploit patterns.
Monitor for suspicious HTTP requests — especially unusual payloads sent to server function endpoints.
Inform your team / stakeholders — transparency and quick action minimize risk and potential damage.
The disclosure of CVE-2025-66478 serves as a stark reminder: even modern web frameworks built to ease development — like React + Next.js with Server Components — are vulnerable to deep security flaws. What makes this case especially alarming is how silent the vulnerability could remain: a standard project, untouched codebase, default configuration — yet fully exploitable.
For developers and teams using Next.js in 2025/2026, the message is clear: update now, audit dependencies, and don’t assume safety just because “it’s just frontend.” The backend logic (server-side components, serialization, routing) need as much scrutiny as backend APIs.
