LmCast :: Stay tuned in

RCE Vulnerability in React and Next.js

Recorded: Dec. 4, 2025, 3:05 a.m.

Original Summarized

RCE in React Server Components · Advisory · vercel/next.js · GitHub

Skip to content

Navigation Menu

Toggle navigation

Sign in

Appearance settings

PlatformAI CODE CREATIONGitHub CopilotWrite better code with AIGitHub SparkBuild and deploy intelligent appsGitHub ModelsManage and compare promptsMCP RegistryNewIntegrate external toolsDEVELOPER WORKFLOWSActionsAutomate any workflowCodespacesInstant dev environmentsIssuesPlan and track workCode ReviewManage code changesAPPLICATION SECURITYGitHub Advanced SecurityFind and fix vulnerabilitiesCode securitySecure your code as you buildSecret protectionStop leaks before they startEXPLOREWhy GitHubDocumentationBlogChangelogMarketplaceView all featuresSolutionsBY COMPANY SIZEEnterprisesSmall and medium teamsStartupsNonprofitsBY USE CASEApp ModernizationDevSecOpsDevOpsCI/CDView all use casesBY INDUSTRYHealthcareFinancial servicesManufacturingGovernmentView all industriesView all solutionsResourcesEXPLORE BY TOPICAISoftware DevelopmentDevOpsSecurityView all topicsEXPLORE BY TYPECustomer storiesEvents & webinarsEbooks & reportsBusiness insightsGitHub SkillsSUPPORT & SERVICESDocumentationCustomer supportCommunity forumTrust centerPartnersOpen SourceCOMMUNITYGitHub SponsorsFund open source developersPROGRAMSSecurity LabMaintainer CommunityAcceleratorArchive ProgramREPOSITORIESTopicsTrendingCollectionsEnterpriseENTERPRISE SOLUTIONSEnterprise platformAI-powered developer platformAVAILABLE ADD-ONSGitHub Advanced SecurityEnterprise-grade security featuresCopilot for BusinessEnterprise-grade AI featuresPremium SupportEnterprise-grade 24/7 supportPricing

Search or jump to...

Search code, repositories, users, issues, pull requests...

Search

Clear

Search syntax tips

Provide feedback


We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.
You signed out in another tab or window. Reload to refresh your session.
You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

vercel

/

next.js

Public

Notifications
You must be signed in to change notification settings

Fork
30k

Star
136k

Code

Issues
2.1k

Pull requests
1.1k

Discussions

Actions

Security

Uh oh!

There was an error while loading. Please reload this page.


Insights

Additional navigation options

Code

Issues

Pull requests

Discussions

Actions

Security

Insights

RCE in React Server Components

Critical

aaronbrown-vercel
published
GHSA-9qr9-h5gf-34mp
Dec 3, 2025

Package

npm

next
(npm)

Affected versions
>=14.3.0-canary.77, >=15, >=16

Patched versions
v16.0.7, v15.5.7, v15.4.8, v15.3.6, v15.2.6, v15.1.9, v15.0.5

Description

A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.
Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.
All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.
1 The affected React packages are:

react-server-dom-parcel
react-server-dom-turbopack
react-server-dom-webpack

Severity

Critical


10.0

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).

/ 10

CVSS v3 base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
None

Scope
Changed

Confidentiality
High

Integrity
High

Availability
High


Learn more about base metrics

CVSS v3 base metrics

Attack vector:
More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity:
More severe for the least complex attacks.

Privileges required:
More severe if no privileges are required.

User interaction:
More severe when no user interaction is required.

Scope:
More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality:
More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity:
More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability:
More severe when the loss of impacted component availability is highest.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2025-66478

Weaknesses
No CWEs

Credits

lachlan2k

Reporter

Footer

© 2025 GitHub, Inc.

Footer navigation

Terms

Privacy

Security

Status

Community

Docs

Contact

Manage cookies

Do not share my personal information

You can’t perform that action at this time.

This GitHub Advisory details a critical Remote Code Execution (RCE) vulnerability impacting React Server Components (RSC) within Next.js versions 15.x and 16.x, alongside experimental canary releases starting from 14.3.0-canary.77. The vulnerability, tracked as CVE-2025-66478, stems from a flaw in the core RSC packages: `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`. The advisory highlights that the vulnerability is exacerbated by the use of these components in Next.js applications.

The core of the issue involves a lack of sufficient sanitization and validation of inputs during the server-side processing of React components. This allows an attacker to potentially inject and execute arbitrary code on the server, representing a significant security risk. The vulnerability’s severity is classified as Critical, reflecting the potential impact – complete server compromise.

The Advisory specifies that the attack vector is Network-based, indicating that the attacker can leverage remote access to exploit the vulnerability. The attack complexity is defined as Low, signifying that the technical skills required for exploitation are relatively accessible. Crucially, no user interaction is required, meaning the vulnerability is exploitable without any direct engagement from the user. The scope of the vulnerability is ‘Changed,’ indicating that the compromised component can influence resources beyond its immediate security context, broadening the attack surface. The impact includes High Confidentiality, Integrity, and Availability, implying significant data loss, data corruption, and potential service disruption.

The advisory mandates immediate action for all users of affected Next.js versions. Specifically, users running stable versions of Next.js 15.x or 16.x should upgrade to a patched, stable version. Additionally, users on experimental canary builds (starting with 14.3.0-canary.77) must downgrade to either a 14.x stable release or the specified canary build (14.3.0-canary.76). The vulnerability has been addressed within the following patched versions: React 19.0.1, 19.1.2, 19.2.1, Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. It’s important to note these patches also address underlying issues that, while not directly exploitable, enhance the overall security posture of the RSC components.

The vulnerability’s base CVSS score is 10.0, reflecting its highest possible severity given the ‘Changed’ scope, network attack vector, and critical impact on confidentiality, integrity and availability. This highlights the urgency of remediation. The report identifies no specific Common Weakness Enumerations (CWEs), indicating the root cause isn’t tied to a particular common coding error. The vulnerability was reported by lachlan2k, further emphasizing the importance of proactive security monitoring and diligent code review practices, particularly within the rapidly evolving landscape of RSC and Next.js. The advisory reinforces the need for immediate patching and ongoing vigilance against similar vulnerabilities.