NextJS Security Vulnerability
7 days ago
- #vulnerability
- #Next.js
- #security
- Critical vulnerability (CVE-2025-66478) identified in React Server Components (RSC) protocol, rated CVSS 10.0.
- Allows remote code execution via attacker-controlled requests in unpatched environments.
- Affects Next.js applications using App Router in versions 15.x, 16.x, and 14.3.0-canary.77+.
- Fixed in patched Next.js releases: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.
- Users must upgrade to the latest patched version in their release line or downgrade from canary to stable 14.x.
- No configuration option to disable the vulnerable code path.
- Discovered by Lachlan Davidson; technical details limited to protect unpatched systems.