Maximum Severity Alert: Critical RCE Flaw Hits Next.js (CVE-2025-66478, CVSS 10.0)

Developers using the modern stack of Next.js and React are facing a “red alert” situation today. A maximum-severity security flaw has been uncovered in the React Server Components (RSC) protocol, putting countless applications at risk of total compromise. The vulnerability is so severe that it has been assigned a CVSS score of 10.0—the highest possible risk rating.

According to the official advisory, “A critical vulnerability has been identified in the React Server Components (RSC) protocol.” The consequences of ignoring this patch are dire: “The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments.”

The vulnerability is a two-fold issue, originating in the upstream React implementation (tracked as CVE-2025-55182) and cascading down to impact Next.js applications using the App Router (tracked as CVE-2025-66478).

The core of the problem lies in how the server handles data. “The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior.” Because of this lack of strict validation, “an attacker could craft requests that trigger unintended server execution paths.”

This is not a theoretical bug; it provides a direct pathway for bad actors to take over the server. As the report states, “This can result in remote code execution in unpatched environments.”

This flaw specifically targets the newer architecture of Next.js. If you are using React Server Components with the App Router, you are likely affected.

The Affected Versions Include:

• Next.js 15.x
• Next.js 16.x
• Next.js 14.3.0-canary.77 and later canary releases

If you are running older stable versions or different routers, you may breathe a sigh of relief. “Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected.”

The maintainers have been clear: there is no workaround. “There is no configuration option to disable the vulnerable code path.” The only solution is to update the framework immediately.

This critical flaw was unearthed by security researcher Lachlan Davidson, who is credited with responsibly disclosing the vulnerability.

Currently, the exact Proof of Concept (PoC) code is being withheld to prevent widespread exploitation before teams have a chance to patch.

The vulnerability is fully resolved in the following patched Next.js releases:

• 15.0.5
• 15.1.9
• 15.2.6
• 15.3.6
• 15.4.8
• 15.5.7
• 16.0.7

For developers currently on the bleeding edge using Next.js 14 canary builds, the advice is to retreat to safety: downgrade to the latest stable 14.x release.

Related Posts:

• Next.js Flaw (CVE-2025-49826, CVSS 7.5): Cache Poisoning Leads to Denial-of-Service
• Next.js Vulnerability CVE-2024-46982: Cache Poisoning Exploit Threatens Deployments
• CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
• Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)