Official Next.js Security Update: CVE-2025-66478 (Critical RSC Vulnerability)

This is an official security update from the Next.js team regarding a critical vulnerability affecting React Server Components (RSC) in Next.js App Router applications. The issue is rated CVSS 10.0 and can lead to remote code execution in unpatched environments.

Official Advisory

A critical vulnerability has been identified in the React Server Components (RSC) protocol. This issue can allow remote code execution when processing attacker-controlled requests in unpatched environments. This advisory tracks the downstream impact on Next.js applications using the App Router.

Impact

The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft malicious requests that trigger unintended server execution paths, resulting in remote code execution.

Affected Next.js Versions

• Next.js 15.x
• Next.js 16.x
• Next.js 14.3.0-canary.77 and later canary releases

Not affected: Next.js 13.x, stable 14.x, Pages Router applications, and the Edge Runtime.

Fixed Versions

• 15.0.5
• 15.1.9
• 15.2.6
• 15.3.6
• 15.4.8
• 15.5.7
• 16.0.7

Patched Canary Releases

• 15.6.0-canary.58
• 16.1.0-canary.12

Required Action

There is no workaround. All users should upgrade to the latest patched version immediately.

npm install next@15.0.5
npm install next@15.1.9
npm install next@15.2.6
npm install next@15.3.6
npm install next@15.4.8
npm install next@15.5.7
npm install next@16.0.7

# Canary releases
npm install next@15.6.0-canary.58
npm install next@16.1.0-canary.12

# If using 14.x canary
npm install next@14

Official Update Tool

npx fix-react2shell-next

More Information

For full details, see the official Next.js advisory: https://nextjs.org/blog/CVE-2025-66478

“Always keep your frameworks updated to stay protected.”