DEV Community: Nazmus Sakib Apurba

Critical High-Risk Alert: Severe Remote Code Execution Vulnerability in Next.js and React (CVE-2025-66478 / CVE-2025-55182)

Nazmus Sakib Apurba — Sat, 06 Dec 2025 16:50:17 +0000

This is an extremely important announcement for web developers and cybersecurity professionals. A groundbreaking security vulnerability has recently been identified in the React and Next.js frameworks that can lead to Remote Code Execution (RCE). This vulnerability has received the maximum CVSS score of 10.0 for cybersecurity risk.

The issue is tracked as CVE-2025-55182 for React (the upstream issue) and CVE-2025-66478 for Next.js applications (the downstream impact, though CVE-2025-66478 was later marked as a duplicate of CVE-2025-55182, it is still used in the context of Next.js advisories).

1. Vulnerability Summary and Root Cause

Executive Summary

A critical RCE vulnerability has been identified in the "Flight" protocol used by React Server Components (RSC). This flaw allows an unauthorized attacker to execute arbitrary code on the server, leveraging specially crafted HTTP requests that exploit insecure deserialization.

Risk Level: CVSS 10.0 (Critical)
Vulnerability Type: Remote Code Execution (RCE)
Impact: Can be exploited nearly 100% reliably on vulnerable applications without any modification to default configurations.
Root Cause: React Server Components (RSC) used insecure deserialization when processing HTTP requests, allowing attackers to unsafely call built-in Node.js modules. The Next.js App Router is affected because it embeds and relies on React’s RSC/DOM package for server-side processing.

2. Scope of Impact and Affected Versions

Millions of applications worldwide may be affected, as both React and Next.js are foundationally used across various enterprise environments.

Vulnerable Versions

This vulnerability affects the React 19 ecosystem and all frameworks that depend on its vulnerable RSC implementation.

Framework	Vulnerable Version Range	Important Notes
React Server	19.0.0, 19.1.0, 19.1.1, 19.2.0	Includes `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`.
Next.js (with App Router)	15.0.0 – 15.0.4, 15.1.0 – 15.1.8, 15.2.0 – 15.5.6, 16.0.0 – 16.0.6	Also includes 14.3.0-canary.77 and later Canary releases.
Other Frameworks	`react-router`, `waku`, `@parcel/rsc`, `@vitejs/plugin-rsc`, `rwsdk`, and `RedwoodJS` (RSC mode)	Other frameworks relying on the vulnerable React RSC implementation may also be affected.

Safe Versions and Configurations

The following versions and configurations are not affected by this vulnerability:

Framework	Safe Version	Notes
React Server	19.0.1, 19.1.2, 19.2.1	Officially patched versions.
Next.js	13.x, 14.x (Stable), 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7	Next.js applications using the Pages Router or the Edge Runtime are not affected.

3. Detection and Verification

To verify if your application is vulnerable, check for the following criteria:

RSC Usage: Verify if your project utilizes React Server Components (RSC).
Framework Dependencies: Check if your application uses key dependencies like next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, or rwsdk.
Code Inspection: Look for the 'use server' or 'use client' directives in your code, which indicate RSC usage.
Version Check: If you are using RSC, ensure your next or react version is outside of the vulnerable ranges listed above.

4. Required Action and Mitigation

The only complete protection against this RCE vulnerability is to upgrade immediately to the official patched versions. No configuration changes will fully mitigate the risk.

Official Upgrade

Upgrade to the secure version using the commands below:

Release Line	Secure Version	Command
Next.js 15.0.x	15.0.5	`npm install next@15.0.5`
Next.js 15.5.x	15.5.7	`npm install next@15.5.7`
Next.js 16.0.x	16.0.7	`npm install next@16.0.7`
Next.js 15.x (Canary)	15.6.0-canary.58	`npm install next@15.6.0-canary.58`

React upgrade download link: https://github.com/facebook/react/releases
Next.js upgrade download link: https://github.com/vercel/next.js/tags

Temporary Mitigation (If Upgrade is Impossible)

Disable React Server Components: Temporarily turn off RSC features in configuration, if business logic allows.
Restrict Access to Server Function Endpoints: Use Web Application Firewalls (WAF) or other network security measures to limit external access.

5. Vulnerability Discovery and Acknowledgment

Special thanks to Lachlan Davidson for responsibly discovering and reporting this critical security vulnerability. Their efforts help keep the developer community safe. Technical details are limited in this advisory to protect developers who have not yet upgraded.

Security first. Upgrade your applications immediately to stay protected.

References:

From Smart Assistants to Human-Like Minds: The Journey from AI to AGI

Nazmus Sakib Apurba — Thu, 10 Jul 2025 06:36:18 +0000

"The question is not whether intelligent machines can have any emotions, but whether machines can be intelligent without any emotions."
— Marvin Minsky, AI pioneer

Technology today is growing at an unbelievable speed. You’ve probably heard terms like AI, machine learning, automation, and now — AGI. But what do they really mean? More importantly, how do they impact you and the world you live in?

Artificial Intelligence (AI) is already part of our lives. We use it every day, often without realizing it. But Artificial General Intelligence (AGI) is something much bigger — something still in the making, but with the potential to change the world completely.

This article will explain what AI and AGI are, how they are different, and why understanding that difference matters in our daily lives — in the simplest way possible.

What is AI? — The Smart Assistant We Already Use

AI, or Artificial Intelligence, is like a smart assistant trained to do one job — and do it very well. You interact with AI almost every day. When you ask your phone a question, when Netflix recommends a movie, or when Gmail filters out spam — that’s AI at work.

For example, think about Google Translate. It can translate hundreds of languages. But if you ask it to play chess, it won’t have a clue what to do. That’s because AI is narrow — it’s designed to solve a specific problem, not understand the world.

Real-life Examples of AI:

Siri or Google Assistant answers your questions and sets reminders.
Spotify or YouTube suggests music or videos based on your taste.
Amazon shows you product recommendations based on what you’ve clicked before.
Facebook recognizes your face in a photo and tags you.
Self-driving cars use AI to stay in lanes and avoid accidents.

AI is trained using large amounts of data. If you give it millions of pictures of cats, it will eventually learn what a cat looks like. But if you show it a picture of a fox, it might get confused — unless it has seen enough foxes during training.

So, while AI feels magical, it is actually more like a powerful calculator — very fast, very smart, but only in the field it was trained for.

What is AGI? — The Human-Like Mind of the Future

Now imagine a computer that could do anything a human can. Not just follow commands, but actually think, learn, reason, and even create. That’s what AGI, or Artificial General Intelligence, is all about.

AGI is still just an idea — but a powerful one. While AI is like a highly skilled worker doing one job, AGI would be like a person who can learn any job over time. It would understand concepts, solve problems it’s never seen before, and adapt like a human being.

Let’s imagine an AGI in the real world:

You ask it to design a house. It sketches out beautiful architecture.
Then you ask it to write a novel. It writes a moving story with deep emotion.
Later, you hand it a medical paper — it reads it, explains it, and finds a mistake in the math.

That is what AGI is supposed to be — not just a program, but an intelligent being capable of doing any mental task a human can.

"AGI is not just about solving problems. It’s about understanding why problems matter in the first place."

AGI might one day teach itself, learn languages on the fly, build relationships, or even hold beliefs and emotions. Some scientists believe AGI may also become self-aware — meaning it could understand its own existence.

But let’s be clear — AGI does not exist yet. It is still being researched. Some say we might achieve it in 20 years, others say it could take centuries. No one knows for sure.

The Big Difference — AI vs. AGI Side-by-Side

Let’s break it down with a comparison to make it more clear:

Feature	AI (What We Have Today)	AGI (What We're Dreaming Of)
Scope	Narrow — designed for one task	General — can learn and perform any task
Learning	Learns from specific data sets	Learns and reasons like a human across all domains
Understanding	Matches patterns, no real "understanding"	Truly understands concepts and situations
Adaptability	Needs retraining for new problems	Adapts naturally to new tasks without reprogramming
Examples	Chatbots, spam filters, image recognition, translation	Doesn’t exist yet — future goal
Self-awareness	Not aware of its actions	Could be conscious or self-aware (still theoretical)

Why It Matters — The Future of Work, Ethics, and Humanity

Understanding the difference between AI and AGI isn’t just a tech topic. It touches on education, jobs, ethics, and even our definition of life.

Today’s AI is transforming industries — helping doctors diagnose faster, automating customer support, and improving transportation. It helps people work better, not replace them entirely.

But AGI, if it ever becomes real, could be far more powerful. It could lead to solutions for climate change, poverty, or incurable diseases. On the other hand, it also raises serious concerns: Who controls AGI? What if it makes decisions that humans can’t understand or stop? Could it be dangerous? Could it one day outsmart us?

"With great power comes great responsibility. AGI may one day be the greatest power ever created — if we choose to build it."

These aren’t science fiction questions anymore. They are ethical, political, and deeply human questions we must start asking now.

Final Thoughts

Artificial Intelligence is already here. It’s in your phone, your car, your home, and your favorite apps. It helps us do things faster and better, but it doesn't think like us.

Artificial General Intelligence is still a dream — a machine that could truly think, learn, and create like a human being. It doesn’t exist yet, but it’s something researchers are working hard to make real.

Understanding the difference between AI and AGI helps us prepare for a future where machines could become not just tools — but thinking companions. It opens the door to both amazing possibilities and serious responsibility.

The journey from AI to AGI is not just a technical one. It’s a human story — and we are all part of it.

🔥 Claude + Filesystem MCP: Superpower File Management Using AI

Nazmus Sakib Apurba — Mon, 30 Jun 2025 10:25:16 +0000

Hey there, tech enthusiasts! If you’ve ever wanted to automate your file management tasks with the power of AI, you’re in for a treat. Today, I’m diving into how you can use the Claude File System MCP (Model Context Protocol) to organize your computer’s files effortlessly. Trust me, this is a game-changer, and you’re gonna love it! This blog will walk you through the setup, usage, and some practical examples to get you started. Plus, I’ll include code snippets to make it super clear. Let’s get started!

What is the Claude File System MCP?

The Model Context Protocol (MCP) is a protocol introduced by Anthropic in November 2024 to enable seamless integration between large language models (LLMs) like Claude and external data sources, such as your computer’s file system. With the Claude File System MCP, you can give Claude access to your files and directories, allowing it to read, write, move, or organize them based on your instructions. Imagine telling Claude, “Hey, sort my Downloads folder by file type,” and watching it create folders for images, text files, audio, and more, moving everything automatically. That’s the superpower we’re talking about!

This is perfect for developers, content creators, or anyone who wants to automate repetitive file management tasks without writing complex scripts from scratch. And the best part? It’s completely free to set up on your own computer.

Why Use the Claude File System MCP?

Automation: Organize files, create directories, and move files with simple prompts.
Integration: Connect Claude with your file system, Google Drive, or even third-party services like Amazon S3 or Gmail.
Flexibility: Works on Windows, macOS, or Linux with minimal setup.
Free and Open: The MCP server is open-source under the MIT License, so you can tweak it to your needs.

Prerequisites

Before we dive into the setup, you’ll need:

Node.js: The MCP server requires Node.js to run. Download it from nodejs.org and install it.
Claude Desktop: Download the Claude Desktop app from Anthropic’s website (free plan works fine).
Basic Terminal Knowledge: You’ll run a few commands to set up the MCP server.
VS Code (Optional): For easier configuration and integration.

Step-by-Step Setup

Let’s set up the Claude File System MCP on your computer. I’ll use a Windows example, but the process is similar for macOS and Linux.

Step 1: Install Node.js

Go to nodejs.org and download the latest LTS version.
Run the installer and follow the prompts (Next, Next, Install).
Verify the installation by opening a terminal (Command Prompt on Windows) and typing:

node --version

Step 2: Install Claude Desktop

Download the Claude Desktop app from Anthropic’s website.
Install it and sign in with your Google account (or create a free Anthropic account).
Once installed, open Claude Desktop and ensure it’s running.

Step 3: Configure the File System MCP

To connect Claude to your file system, you need to configure the MCP server. Here’s how:

1. Open Claude Desktop Settings:

Click the three-dot menu in Claude Desktop.
Go to Settings > Developer > Edit Config.
This opens the claude_desktop_config.json file in your default editor (e.g., Notepad++ or VS Code).

2. Add the File System MCP Server Configuration:
Replace the existing config with the following JSON, updating the paths to match your system. For example, I’ll use the Downloads folder for a user named “John” on Windows.

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "C:\\Users\\John\\Downloads"
      ]
    }
  }
}

Explanation:

command: "npx": Uses NPX to run the MCP server.
args: Specifies the MCP server package (@modelcontextprotocol/server-filesystem) and the directory to access (C:\Users\John\Downloads).
Replace C:\Users\John\Downloads with the path to your desired folder (e.g., /Users/username/Downloads on macOS).

3. Save and Exit:

Save the claude_desktop_config.json file (Ctrl+S).
Close Claude Desktop completely (right-click the tray icon and select Quit).
Reopen Claude Desktop. It may take a moment to start the MCP server.

4. Verify the MCP Server:

Go back to Settings > Developer in Claude Desktop.

You should see a new File System MCP server listed. If it says “Disconnected,” double-check your config file paths or restart Claude.

Step 4: Test the Setup

Let’s test the MCP server by asking Claude to list the files in your Downloads folder.

In Claude Desktop, type:

List all files in my Downloads folder.

Claude will execute a command via the MCP server and return a list of files, like:

[FILE] image.jpg
[FILE] document.txt
[DIR] Telegram Desktop

If you see this, congratulations! Your MCP server is working.

Practical Example: Organize Your Downloads Folder

Now, let’s use the MCP server to organize your Downloads folder by file type, just like I described earlier. Here’s a sample prompt and what happens behind the scenes.

Prompt

Analyze all files in my Downloads folder. Create separate folders for each file type (e.g., Images, Text, Audio, System) and move the files into their respective folders.

What Claude Does

Analyzes Files: Claude scans the Downloads folder and identifies file types based on extensions (e.g., .jpg for images, .txt for text, .mp3 for audio).
Creates Folders: It creates directories like Images, Text, Audio, and System using the create_directory tool.
Moves Files: It uses the move_file tool to relocate each file to its corresponding folder.
Confirms Success: Claude notifies you when the task is complete.

Example Output

After running the prompt, your Downloads folder might look like this:

Downloads/
├── Images/
│   └── image.jpg
├── Text/
│   └── document.txt
├── Audio/
│   └── song.mp3
├── System/
│   └── setup.exe

Advanced Example: Create a Summary File

Let’s try something more advanced. Suppose you want Claude to research AI news from May 2025 and create a text file with links and descriptions.

Prompt

Collect all AI news from May 2025, including links and a few lines of description for each. Create a text file in my Downloads folder named "AI_News_May_2025.txt" with the results.

What Happens

1. Claude searches the web for AI news from May 2025 (using its DeepSearch mode, if enabled).
2. It compiles a list of articles with links and summaries.
3. It uses the write_file tool to create AI_News_May_2025.txt in your Downloads folder.

Sample Output File

AI News - May 2025

1. NotebookLM by Google
   - Link: https://example.com/notebooklm
   - Description: Google released an updated NotebookLM with enhanced AI capabilities for research and note-taking.

2. Veo by xAI
   - Link: https://example.com/veo
   - Description: xAI's Veo video generator now supports real-time video creation with improved quality.

3. Alpha Evolve by Google
   - Link: https://example.com/alpha-evolve
   - Description: Google’s new AI subscription model, Alpha Evolve, offers advanced features for developers.

You’ll see _AI_News_May_2025.txt _pop up in your Downloads folder, ready to use.

Tips and Best Practices

Use Dry Run for Edits: When using the edit_file tool, enable dryRun: true to preview changes before applying them.
Sandbox Directories: Only grant Claude access to specific folders (e.g., Downloads) to avoid accidental changes to critical files.
Check Permissions: If Claude prompts for access, select “Allow Always” for seamless operation, but be cautious with sensitive directories.

Explore Other MCP Servers: The File System MCP is just one option. Check out servers for Amazon S3, Gmail, or Stripe for more integrations.

Troubleshooting

MCP Server Disconnected: Ensure your claude_desktop_config.json paths are correct and Node.js is installed.
Permission Errors: Check if Claude has access to the specified directory. On Windows, run Claude Desktop as an administrator if needed.
Node.js Not Found: Verify Node.js installation with node --version. Reinstall if necessary.

Conclusion

The Claude File System MCP is a powerful tool for automating file management with AI. Whether you’re organizing your Downloads folder, creating summary files, or integrating with other services, MCP makes it incredibly easy. Plus, it’s free and open-source, so you can experiment and build your own integrations.

Want to dive deeper? Check out my ChatGPT & AI Master Course (link in description) for advanced AI automation techniques, including how to build SaaS businesses with AI. I’ve covered everything from prompt engineering to social media automation—perfect for taking your skills to the next level.

Try out the Claude File System MCP today, and let me know in the comments how it’s working for you! Happy automating!

References:
Model Context Protocol Servers
Introducing the MCP