{"id":100537,"date":"2025-12-05T13:15:14","date_gmt":"2025-12-05T07:45:14","guid":{"rendered":"https:\/\/www.seminarsonly.com\/news\/?p=100537"},"modified":"2025-12-05T15:11:35","modified_gmt":"2025-12-05T09:41:35","slug":"cve-2025-66478-next-js-react-server-components-rce","status":"publish","type":"post","link":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/","title":{"rendered":"CVE-2025-66478 | Next.js \/ React Server Components RCE"},"content":{"rendered":"<h3><span style=\"color: #008000;\"><em><b>VE-2025-66478<\/b> is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server.<\/em><\/span><\/h3>\n<h3 data-path-to-node=\"0\"><b>CVE-2025-66478: Next.js \/ React Server Components RCE<\/b><\/h3>\n<p data-path-to-node=\"1\"><b>Status:<\/b> Critical (CVSS 10.0)<\/p>\n<p data-path-to-node=\"2\"><b>Vulnerability Type:<\/b> Remote Code Execution (RCE) via Insecure Deserialization<\/p>\n<p data-path-to-node=\"3\"><b>Affected Software:<\/b> Next.js (specifically applications using the <b>App Router<\/b>)<\/p>\n<p data-path-to-node=\"4\"><b>Upstream Root Cause:<\/b> CVE-2025-55182 (React)<\/p>\n<hr data-path-to-node=\"5\" \/>\n<h2 data-path-to-node=\"6\"><span style=\"color: #800000;\"><b>Overview<\/b><\/span><\/h2>\n<p data-path-to-node=\"7\"><b>CVE-2025-66478<\/b> is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server.<\/p>\n<p data-path-to-node=\"8\"><b>Note on CVE Status:<\/b> You may see this CVE listed as &#8220;Rejected&#8221; or a &#8220;Duplicate&#8221; in some databases (like NVD). This is procedural; the vulnerability is real, but it is technically a duplicate of the upstream React vulnerability (<b>CVE-2025-55182<\/b>). However, <b>CVE-2025-66478<\/b> is still the primary identifier used to track the specific impact on Next.js.<\/p>\n<h3 data-path-to-node=\"8\">Also Read : <a href=\"https:\/\/www.seminarsonly.com\/news\/500-internal-server-error-cloudflare-how-to-fix\/\">500 Internal Server Error Cloudflare | How to Fix<\/a><\/h3>\n<hr \/>\n<h2 data-path-to-node=\"9\"><span style=\"color: #800000;\"><b>Technical Details<\/b><\/span><\/h2>\n<ul data-path-to-node=\"10\">\n<li>\n<p data-path-to-node=\"10,0,0\"><b>Root Cause:<\/b> The vulnerability exists in the React Server Components (RSC) &#8220;Flight&#8221; protocol. It involves insecure deserialization of payload data sent to the server.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"10,1,0\"><b>Attack Vector:<\/b> An attacker can send a specially crafted HTTP request to a Next.js server (targeting Server Actions or App Router endpoints). The server fails to properly validate the structure of the incoming payload, allowing the attacker to manipulate server-side execution logic.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"10,2,0\"><b>Authentication:<\/b> No authentication is required to exploit this flaw.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"10,3,0\"><b>Impact:<\/b> Full server compromise (Remote Code Execution).<\/p>\n<\/li>\n<\/ul>\n<hr \/>\n<h2 data-path-to-node=\"11\"><span style=\"color: #800000;\"><b>Affected Versions<\/b><\/span><\/h2>\n<p data-path-to-node=\"12\">This vulnerability affects Next.js projects using the <b>App Router<\/b>.<\/p>\n<ul data-path-to-node=\"13\">\n<li>\n<p data-path-to-node=\"13,0,0\"><b>Next.js 15.x<\/b> (Prior to patched versions)<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"13,1,0\"><b>Next.js 16.x<\/b> (Prior to patched versions)<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"13,2,0\"><b>Next.js 14.3.0-canary.77<\/b> and later canary releases.<\/p>\n<\/li>\n<\/ul>\n<p data-path-to-node=\"14\"><i>Note: Next.js 13.x, Next.js 14.x (stable), and Pages Router applications are <b>not<\/b> affected.<\/i><\/p>\n<hr \/>\n<h2 data-path-to-node=\"15\"><span style=\"color: #800000;\"><b>Remediation &amp; Patches<\/b><\/span><\/h2>\n<p data-path-to-node=\"16\">Immediate patching is required. Upgrade your Next.js dependency to one of the following fixed versions (or newer):<\/p>\n<table style=\"height: 202px;\" width=\"731\" data-path-to-node=\"17\">\n<thead>\n<tr>\n<td><strong>Release Line<\/strong><\/td>\n<td><strong>Fixed Version (Minimum)<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span data-path-to-node=\"17,1,0,0\"><b>Next.js 16<\/b><\/span><\/td>\n<td><span data-path-to-node=\"17,1,1,0\"><code>16.0.7<\/code><\/span><\/td>\n<\/tr>\n<tr>\n<td><span data-path-to-node=\"17,2,0,0\"><b>Next.js 15<\/b><\/span><\/td>\n<td><span data-path-to-node=\"17,2,1,0\"><code>15.5.7<\/code>, <code>15.4.8<\/code>, <code>15.3.6<\/code>, <code>15.2.6<\/code>, <code>15.1.9<\/code>, <code>15.0.5<\/code><\/span><\/td>\n<\/tr>\n<tr>\n<td><span data-path-to-node=\"17,3,0,0\"><b>Next.js 14 (Canary)<\/b><\/span><\/td>\n<td><span data-path-to-node=\"17,3,1,0\">Downgrade to stable <code>v14<\/code> or upgrade to <code>15.x<\/code><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2 data-path-to-node=\"18\"><span style=\"color: #800000;\"><b>Next Steps<\/b><\/span><\/h2>\n<ol start=\"1\" data-path-to-node=\"19\">\n<li>\n<p data-path-to-node=\"19,0,0\"><b>Check your <code>package.json<\/code><\/b> to see if you are using an affected version of <code>next<\/code>.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"19,1,0\"><b>Run <code>npm audit<\/code><\/b> or your preferred SCA tool to verify vulnerable dependencies.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"19,2,0\"><b>Update immediately:<\/b><\/p>\n<div class=\"code-block ng-tns-c51466015-357 ng-animate-disabled ng-trigger ng-trigger-codeBlockRevealAnimation\" data-hveid=\"0\" data-ved=\"0CAAQhtANahgKEwjZzPj926CRAxUAAAAAHQAAAAAQ2Qo\">\n<div class=\"code-block-decoration header-formatted gds-title-s ng-tns-c51466015-357 ng-star-inserted\"><span class=\"ng-tns-c51466015-357\">Bash<\/span><\/div>\n<div class=\"formatted-code-block-internal-container ng-tns-c51466015-357\">\n<div class=\"animated-opacity ng-tns-c51466015-357\">\n<pre class=\"ng-tns-c51466015-357\"><code class=\"code-container formatted ng-tns-c51466015-357\" role=\"text\" data-test-id=\"code-content\">npm install next@latest\r\n<span class=\"hljs-comment\"># OR for a specific version line<\/span>\r\nnpm install next@15.5.7<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>VE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server. CVE-2025-66478: Next.js \/&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6048],"tags":[],"class_list":["post-100537","post","type-post","status-publish","format-standard","hentry","category-error-fix"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>CVE-2025-66478 | Next.js \/ React Server Components RCE - Seminarsonly.com<\/title>\n<meta name=\"description\" content=\"VE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2025-66478 | Next.js \/ React Server Components RCE\" \/>\n<meta property=\"og:description\" content=\"VE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server\" \/>\n<meta property=\"og:url\" content=\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/\" \/>\n<meta property=\"og:site_name\" content=\"Seminarsonly.com\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/seminarsonly\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-05T07:45:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-05T09:41:35+00:00\" \/>\n<meta name=\"author\" content=\"Freddy John\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@seminarsonly\" \/>\n<meta name=\"twitter:site\" content=\"@seminarsonly\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Freddy John\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/\"},\"author\":{\"name\":\"Freddy John\",\"@id\":\"https:\/\/seminarsonly.com\/news\/#\/schema\/person\/75cf706896b7210fb0a84651adc258bd\"},\"headline\":\"CVE-2025-66478 | Next.js \/ React Server Components RCE\",\"datePublished\":\"2025-12-05T07:45:14+00:00\",\"dateModified\":\"2025-12-05T09:41:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/\"},\"wordCount\":368,\"commentCount\":0,\"articleSection\":[\"Error Fix\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/\",\"url\":\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/\",\"name\":\"CVE-2025-66478 | Next.js \/ React Server Components RCE - Seminarsonly.com\",\"isPartOf\":{\"@id\":\"https:\/\/seminarsonly.com\/news\/#website\"},\"datePublished\":\"2025-12-05T07:45:14+00:00\",\"dateModified\":\"2025-12-05T09:41:35+00:00\",\"author\":{\"@id\":\"https:\/\/seminarsonly.com\/news\/#\/schema\/person\/75cf706896b7210fb0a84651adc258bd\"},\"description\":\"VE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server\",\"breadcrumb\":{\"@id\":\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/seminarsonly.com\/news\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CVE-2025-66478 | Next.js \/ React Server Components RCE\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/seminarsonly.com\/news\/#website\",\"url\":\"https:\/\/seminarsonly.com\/news\/\",\"name\":\"Seminarsonly.com\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/seminarsonly.com\/news\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/seminarsonly.com\/news\/#\/schema\/person\/75cf706896b7210fb0a84651adc258bd\",\"name\":\"Freddy John\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/671d452f5fe9027ab894cbed50911cc764b2c16878222070bf044f21705d4c94?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/671d452f5fe9027ab894cbed50911cc764b2c16878222070bf044f21705d4c94?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/671d452f5fe9027ab894cbed50911cc764b2c16878222070bf044f21705d4c94?s=96&d=mm&r=g\",\"caption\":\"Freddy John\"},\"sameAs\":[\"https:\/\/seminarsonly.com\/news\"],\"url\":\"https:\/\/seminarsonly.com\/news\/author\/anupvnaick_51wq8y4s\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"CVE-2025-66478 | Next.js \/ React Server Components RCE - Seminarsonly.com","description":"VE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2025-66478 | Next.js \/ React Server Components RCE","og_description":"VE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server","og_url":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/","og_site_name":"Seminarsonly.com","article_publisher":"https:\/\/facebook.com\/seminarsonly","article_published_time":"2025-12-05T07:45:14+00:00","article_modified_time":"2025-12-05T09:41:35+00:00","author":"Freddy John","twitter_card":"summary_large_image","twitter_creator":"@seminarsonly","twitter_site":"@seminarsonly","twitter_misc":{"Written by":"Freddy John","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/#article","isPartOf":{"@id":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/"},"author":{"name":"Freddy John","@id":"https:\/\/seminarsonly.com\/news\/#\/schema\/person\/75cf706896b7210fb0a84651adc258bd"},"headline":"CVE-2025-66478 | Next.js \/ React Server Components RCE","datePublished":"2025-12-05T07:45:14+00:00","dateModified":"2025-12-05T09:41:35+00:00","mainEntityOfPage":{"@id":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/"},"wordCount":368,"commentCount":0,"articleSection":["Error Fix"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/","url":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/","name":"CVE-2025-66478 | Next.js \/ React Server Components RCE - Seminarsonly.com","isPartOf":{"@id":"https:\/\/seminarsonly.com\/news\/#website"},"datePublished":"2025-12-05T07:45:14+00:00","dateModified":"2025-12-05T09:41:35+00:00","author":{"@id":"https:\/\/seminarsonly.com\/news\/#\/schema\/person\/75cf706896b7210fb0a84651adc258bd"},"description":"VE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server","breadcrumb":{"@id":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/seminarsonly.com\/news\/cve-2025-66478-next-js-react-server-components-rce\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/seminarsonly.com\/news\/"},{"@type":"ListItem","position":2,"name":"CVE-2025-66478 | Next.js \/ React Server Components RCE"}]},{"@type":"WebSite","@id":"https:\/\/seminarsonly.com\/news\/#website","url":"https:\/\/seminarsonly.com\/news\/","name":"Seminarsonly.com","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/seminarsonly.com\/news\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/seminarsonly.com\/news\/#\/schema\/person\/75cf706896b7210fb0a84651adc258bd","name":"Freddy John","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/671d452f5fe9027ab894cbed50911cc764b2c16878222070bf044f21705d4c94?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/671d452f5fe9027ab894cbed50911cc764b2c16878222070bf044f21705d4c94?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/671d452f5fe9027ab894cbed50911cc764b2c16878222070bf044f21705d4c94?s=96&d=mm&r=g","caption":"Freddy John"},"sameAs":["https:\/\/seminarsonly.com\/news"],"url":"https:\/\/seminarsonly.com\/news\/author\/anupvnaick_51wq8y4s\/"}]}},"_links":{"self":[{"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/posts\/100537","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/comments?post=100537"}],"version-history":[{"count":0,"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/posts\/100537\/revisions"}],"wp:attachment":[{"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/media?parent=100537"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/categories?post=100537"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seminarsonly.com\/news\/wp-json\/wp\/v2\/tags?post=100537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}