Fixing CVE-2025-66478 in Next.js: Universal Guide

A universal fix for CVE-2025-66478 involves upgrading to patched Next.js versions or downgrading from affected canaries, followed by secret rotation.

Vulnerability Overview

CVE-2025-66478 is a critical RCE flaw in React Server Components (RSC) protocol used by Next.js App Router, stemming from upstream React CVE-2025-55182. Attackers could exploit untrusted inputs to trigger arbitrary server code execution in vulnerable setups.

Affected Versions

• Next.js 15.x (all)
• Next.js 16.x (all)
• Next.js 14.3.0-canary.77 and later canaries[attached_file:1]

Unaffected: Next.js 13.x, stable 14.x, Pages Router apps, Edge Runtime.[attached_file:1]

Patched & Safe Versions

Upgrade to these patches:

• next@15.0.5 (15.0.x)
• next@15.1.9 (15.1.x)
• next@15.2.6 (15.2.x)
• next@15.3.6 (15.3.x)
• next@15.4.8 (15.4.x)
• next@15.5.7 (15.5.x)
• next@16.0.7 (16.0.x)[attached_file:1]

For affected 14.x canaries: npm install next@14 (latest stable).[attached_file:1]

Step-by-Step Fix for Any Version

1. Check version: Run npx next --version or inspect package.json. Confirm App Router + RSC usage.[attached_file:1]

2. Select target:
   | Current Line | Target Command |
   |--------------|----------------|
   | 15.0.x | npm install next@15.0.5 |
   | 15.1.x | npm install next@15.1.9 |
   | ... (etc.) | See above list[attached_file:1] |
   | 14.x canary | npm install next@14 |

3. Install & rebuild: Execute command, then npm run build and redeploy.[attached_file:1]

4. Rotate secrets: Change all env vars, API keys, DB passwords post-upgrade.[attached_file:1]

No config workaround exists—upgrade mandatory.[attached_file:1]