Security Alert: CVE-2025-66478 & CVE-2025-55182 Next.js React Server Components Remote Code Execution

Tags:

CVE-2025-61882 in Oracle E-Business Suite blog
emma-stevens-bio-portrait
Written by Emma Stevens
Threat Intelligence Researcher

Summary

A critical vulnerability, CVE-2025-66478, has been identified in Next.js applications using React Server Components (RSC) with the App Router.

This vulnerability receives a CVSS score of 10.0 and a Bitsight Dynamic Vulnerability Exploit (DVE) score of 7.85. This vulnerability may allow remote code execution (RCE) when affected servers process attacker-controlled RSC requests.

CVE-2025-66478 is tied to an upstream React issue (CVE-2025-55182–DVE score 9.15) affecting the RSC protocol implementation. The Next.js advisory tracks its downstream impact on Next.js applications integrating React Server Components.

The vulnerability stems from unsafe behavior in the RSC protocol, where untrusted inputs could influence server-side execution paths under specific conditions. Technical details are intentionally limited in the advisory to protect applications that have not yet upgraded.

CVE-2025-66478 overview

The React Server Components (RSC) protocol vulnerability (CVE-2025-55182) allowed malformed or malicious RSC protocol inputs to affect server-side behavior in unexpected ways.

Next.js applications using the App Router with RSC inherit this upstream vulnerability. When a vulnerable Next.js version processes affected RSC requests, the server may execute unintended code paths, leading to possible remote code execution.

This vulnerability affects server-side execution environments and cannot be mitigated through configuration alone. A framework upgrade is required.

Affected React and Next.js versions

Based on the official Next.js advisory, the following releases are affected when using React Server Components with the App Router:

  • Next.js 15.x
  • Next.js 16.x
  • Next.js 14.3.0-canary.77 and later canary releases

Affected React:

Not affected:

  • React-server-dom-parcel
  • React-server-dom-turbopack
  • React-server-dom-webpack

Fixed versions

The vulnerability is fully addressed in the following patched releases:

  • 15.0.5
  • 15.1.9
  • 15.2.6
  • 15.3.6
  • 15.4.8
  • 15.5.7
  • 16.0.7

Additionally, the underlying react version CVE-2025-55182 is patched in:

  • React 19.01
  • React 19.1.2
  • React 19.2.1

These releases incorporate the hardened React Server Components implementation that resolves the vulnerability.

Required action

All React and Next.js users running affected versions should upgrade to the latest patched release within their major version line:

If you are running Next.js 14.3.0-canary.77 or later canary releases, downgrade to the latest stable 14.x version.

There is no configuration workaround or toggle that disables the vulnerable code path; upgrading or downgrading is the only mitigation.

Why this matters

React Server Components are widely used in modern Next.js applications. Because the vulnerability occurs in the framework’s server-side component protocol, affected applications may process malicious RSC requests before application-level security controls apply.

Framework-level RCE vulnerabilities present a significant operational risk, and patching is required to ensure the security of Next.js servers that use RSC with the App Router.

CVE-2025-66478 impact to organizations

Organizations operating vulnerable versions of Next.js with React Server Components may be at risk of:

  • Remote code execution on affected servers
  • Unintended server-side behavior resulting from malformed RSC inputs
  • Exposure of sensitive environment variables or secrets, depending on server configuration
  • Potential compromise of build, preview, or production environments that run vulnerable RSC handlers

Any environment using vulnerable versions — especially self-hosted or standalone Next.js servers — should be upgraded promptly to eliminate the risk.

Recommendations

To fully mitigate CVE-2025-66478:

  1. Upgrade to the patched version in your release line or downgrade from affected canary builds.
  2. Review server logs for unexpected RSC-related errors or crashes during request processing.
  3. Ensure secrets and environment variables are rotated if compromise is suspected.
  4. Validate that all production and preview environments are running patched versions.

Upgrading is the only complete mitigation.

Threat landscape and context

This vulnerability highlights the dependency of modern web frameworks on upstream components such as React Server Components. When protocol-level vulnerabilities emerge in upstream components such as React, downstream frameworks like Next.js may require coordinated updates to restore safe behavior.

The React and Vercel teams released simultaneous advisories (CVE-2025-55182 and CVE-2025-66478) to ensure full visibility across the ecosystem.

How Bitsight TI and TPRM support you

Bitsight Threat Intelligence (TI) and Third-Party Risk Management (TPRM) help organizations:

  • Identify internet-facing assets or vendors using affected Next.js versions or server-side React implementations that rely on the vulnerable RSC protocol.
  • Prioritize remediation based on the criticality of the upstream RSC vulnerability
  • Monitor frameworks and dependencies for high-severity vulnerabilities
  • Provide continuous insight into technology exposure across your third-party ecosystem

Conclusion

CVE-2025-66478 is a critical CVSS 10.0 vulnerability affecting Next.js App Router applications using React Server Components. CVE-2025-55182, which affects the React Server Components (RSC) protocol implementation in specific React 19.x releases, should also be taken seriously. Organizations using server-side RSC, such as through Next.js App Router, should ensure they are running a patched version of Next.js, which includes the updated React release.

Because the issue stems from a protocol-level flaw in React, upgrading is the only effective mitigation.

Immediate actions:

  • Upgrade React and Next.js to a fixed version
  • Ensure you are running a patched version of Next.js
  • Downgrade from affected canary builds
  • Validate that all environments are running patched releases
  • Review for unexpected RSC-related server behavior

Bitsight will continue to monitor updates from the React and Next.js teams and provide additional guidance as new information becomes available.

SOTU cover Image

Report: 7.7 Million endpoint logs for sale & more

Stealer malware is thriving—especially Lumma and Risepro. These logs fuel ransomware, MFA bypass, and persistent access. It's $10 to compromise an account. Explore this and other insights the data reveals.

Read free report
Bitsight Pulse right rail CTA immediacy