惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 聂微东
博客园 - 【当耐特】
Last Week in AI
Last Week in AI
量子位
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
B
Blog RSS Feed
V
V2EX
酷 壳 – CoolShell
酷 壳 – CoolShell
雷峰网
雷峰网
GbyAI
GbyAI
Jina AI
Jina AI
宝玉的分享
宝玉的分享
腾讯CDC
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
D
Docker
博客园_首页
N
News and Events Feed by Topic
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
F
Fortinet All Blogs
SecWiki News
SecWiki News
AI
AI
S
Schneier on Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
The Last Watchdog
The Last Watchdog
Martin Fowler
Martin Fowler
A
About on SuperTechFans
T
Troy Hunt's Blog
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
Hacker News: Ask HN
Hacker News: Ask HN
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
I
InfoQ
S
Security @ Cisco Blogs
Project Zero
Project Zero
Simon Willison's Weblog
Simon Willison's Weblog
C
Cyber Attacks, Cyber Crime and Cyber Security
J
Java Code Geeks
N
News | PayPal Newsroom
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
H
Hacker News: Front Page

Next.js Blog

Next.js Security Release and Our Next Patch Release Turbopack: What's New in Next.js 16.3 Next.js 16.3: AI Improvements Next.js 16.3: Instant Navigations Next.js Across Platforms: Adapters, OpenNext, and Our Commitments Next.js 16.2: AI Improvements Next.js 16.2 Turbopack: What's New in Next.js 16.2 Building Next.js for an agentic future Inside Turbopack: Building Faster by Building Less Next.js 16.1 Next.js Security Update: December 11, 2025 Next.js 16 Next.js 16 (beta) Next.js 15.5 Next.js 15.4 Next.js 15.3 Building APIs with Next.js Next.js 15.2 Composable Caching with Next.js Next.js 15.1 Our Journey with Caching Next.js 15 Turbopack Dev is Now Stable Next.js 15 RC 2 Next.js 15 RC Next.js 14.2 Next.js 14.1 Next.js 14 How to Think About Security in Next.js Next.js 13.5 Next.js App Router Update Next.js 13.4 Next.js 13.3 Next.js 13.2 Next.js 13.1 Next.js 13 Next.js 12.3 Next.js 12.2 Layouts RFC Next.js 12.1 Next.js 12 Next.js 11.1 Next.js 11 Next.js 10.2 Next.js 10.1 Incrementally Adopting Next.js Next.js 10 Next.js 9.5 Next.js 9.4 Next.js 9.3 Next.js 9.2 Next.js 9.1.7 Introducing Create Next App Next.js 9.1 Next.js 9.0.7 Next.js 9 Next.js 8.1 Next.js 8.0.4 Styling Next.js with Styled JSX Next.js 8 Webpack Memory Improvements Next.js 8 Next.js 7 Next.js 6.1 Next.js 6 and Nextjs.org Next.js 5.1: Faster Page Resolution, Environment Config & More Next.js 5: Universal Webpack, CSS Imports, Plugins and Zones
Security Advisory: CVE-2025-66478
Josh Story, Sebastian Markbåge · 2025-12-04 · via Next.js Blog
Back to Blog

Wednesday, December 3rd 2025

Posted by

December 06, 9:05 PM PST: If your application was online and unpatched as of December 4th, 2025 at 1:00 PM PT, we strongly encourage you to rotate any secrets it uses, starting with your most critical ones.

December 06, 7:29 AM PST: An npm package has been released to update affected Next.js apps. Use npx fix-react2shell-next to update now, or visit the GitHub repository to learn more.

A critical vulnerability has been identified in the React Server Components (RSC) protocol. The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments.

This vulnerability originates in the upstream React implementation (CVE-2025-55182). This advisory (CVE-2025-66478) tracks the downstream impact on Next.js applications using the App Router.

Impact

The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft requests that trigger unintended server execution paths. This can result in remote code execution in unpatched environments.

All users should upgrade to a patched version immediately. See the required action section for specific instructions.

Affected Next.js Versions

Applications using React Server Components with the App Router are affected when running:

  • Next.js 15.x
  • Next.js 16.x
  • Next.js 14.3.0-canary.77 and later canary releases

Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected.

Fixed Versions

The vulnerability is fully resolved in the following patched Next.js releases:

  • 15.0.5
  • 15.1.9
  • 15.2.6
  • 15.3.6
  • 15.4.8
  • 15.5.7
  • 16.0.7

We also released patched canary releases for Next.js 15 and 16:

  • 15.6.0-canary.58 (for 15.x canary releases)
  • 16.1.0-canary.12 (for 16.x canary releases)

These versions include the hardened React Server Components implementation.

Required Action

All users should upgrade to the latest patched version in their release line:

If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:

If you're currently using canary releases to enable PPR, you can update to 15.6.0-canary.58, which includes a fix for the vulnerability while continuing to support PPR. For other ways to patch older versions, see this discussion post.

Run npx fix-react2shell-next to launch an interactive tool which can check versions and perform deterministic version bumps per the recommended versions above. See the GitHub repository for full details.

There is no workaround—upgrading to a patched version is required.

Rotating environment variables

Once you have patched your version and re-deployed your application, we recommend rotating all your application secrets. Learn about working with environment variables in the documentation here.

Resources

Discovery

Thank you to Lachlan Davidson for discovering and responsibly disclosing this vulnerability. We are intentionally limiting technical detail in this advisory to protect developers who have not yet upgraded.