Critical Security Vulnerabilities in Next.js and React

In December 2025, critical security vulnerabilities were disclosed in Next.js and React Server Components, affecting multiple versions and requiring immediate attention from developers.

Next.js: CVE-2025-66478

Next.js reported a critical vulnerability identified as CVE-2025-66478. The issue allowed for potential unauthenticated remote code execution by exploiting flaws in Next.js server-side handling. Developers were strongly advised to upgrade to the patched versions to secure their applications. Affected versions included multiple releases in the Next.js 15 and early Next.js 16 line. The fix ensures proper validation and sanitization of server-side requests, closing the security gap.

Immediate action: upgrade to the latest patched release in your current release line
All users on Next.js 14.3.0-canary or later should revert to stable 14.x until fixed
Vulnerability affected server-side handling, even for apps not directly using certain server functions

React: CVE-2025-55182

React Server Components also faced a critical security vulnerability (CVE-2025-55182) allowing unauthenticated remote code execution. The flaw existed in how React decoded payloads sent to React Server Function endpoints. Even applications that do not explicitly use React Server Functions could be affected if they supported React Server Components.

Affected packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
Severity: CVSS 10.0 critical - Highest possible level on scale from 0-10 where 10 is the highest level
Immediate fix: upgrade React, React DOM, and related server packages to the patched versions
Hosting mitigations were applied by providers, but updating is required for full security

Impact and Recommendations

Both vulnerabilities emphasize the importance of keeping dependencies up-to-date and monitoring server-side frameworks for security risks. Developers using Next.js and React Server Components should:

Immediately update to the latest patched versions
Review server-side endpoint usage to limit exposure
Apply standard security practices such as input validation, access control, and monitoring
Test your deployments after upgrades to ensure all security patches are effective

Ignoring these updates could allow attackers to execute arbitrary code on servers, potentially compromising user data and application integrity. Security-first practices are essential in modern web development, especially with server-driven frameworks.

Warning: Next.js and React security vulnerabilities

React.js vulnerable versions

19.0
19.1.0
19.1.1
19.2.0

Affected packages are:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages and/or any of above ReactJs versions please upgrade to any of the fixed versions immediately.

Next.js vulnerable versions

Next.js 15.x
Next.js 16.x
Next.js 14.3.0-canary.77 and later canary releases

Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected.

The vulnerability is fully resolved in the following patched Next.js releases:

15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
15.6.0-canary.58
16.0.7

These versions include the hardened React Server Components implementation.

Conclusion

The December 2025 vulnerabilities in Next.js and React serve as a strong reminder of the evolving risks in modern web frameworks. Developers must act quickly to patch affected versions and ensure that their server-side components handle requests securely.

Staying informed through official security advisories and implementing rigorous update and testing practices remains the most effective way to protect applications against emerging threats.

Sources:
Next.js Security Advisory CVE-2025-66478 | React Server Components Vulnerability

Check your projects today and upgrade immediately if affected