Unlock Savings — 10% Off On First Invoice
Next.js App Router apps are exposed to a severe RCE vulnerability (CVE-2025-66478) caused by a weakness in the React Server Components protocol. This article outlines the impacted versions, urgent patching steps, and how organisations can secure their platform with Dotsquares’ emergency remediation support.
If your website or application is built using Next.js (App Router), this update is extremely important.
A newly discovered security flaw (CVE-2025-66478) has exposed many applications to the risk of Remote Code Execution (RCE) — the most serious type of security issue, where attackers can run their own code on your server.
The root cause of the vulnerability is in the upstream React implementation (CVE-2025-55182). This warning (CVE-2025-66478) corresponds to the local performance of the React impact on Next.js applications using the App router.
The architectural change that introduced the App Router in Next.js also introduced a dependency on React Server Components (RSC). The RSC protocol is designed to securely render components on the server before streaming the output to the client.
The flaw lies not in Next.js itself, but in how the upstream RSC protocol handles specific attacker-controlled data streams during component hydration and processing. Essentially, this weakness lets bad data that was meant for the client be misread by the server as code that can be run during this phase of the server interaction.
This flaw can be triggered simply by sending a specially crafted request to your website, no login required, no special access needed.
If exploited, attackers could potentially:
As the attacked code runs on the server, the bug circumvents normal security mechanisms of the browser as well as firewalls, hence it is an RCE vulnerability, the most severe kind of security defect.
Due to the fundamental nature of the exploited protocol, the scope is narrow but the risk is absolute for those affected.
Our directive is clear: Even if you primarily use the Pages Router, all dependencies must be audited. If your project has the capacity to run the App Router (based on your Next.js version), it requires immediate inspection and patching.
Given the critical nature of RCE, the window for attacker exploitation is narrow. This is not a matter of scheduling; it is a matter of immediate execution.
Handling a CVSS 10.0 RCE vulnerability is a matter that demands deep expertise in the Next.js runtime environment, understanding of continuous integration pipelines, and familiarity with advanced security auditing tools. The specialist teams we have in place can provide the necessary support to companies which cannot afford to deploy their own teams on the spot.
Your platform is handled under strict, internationally recognised security standards.
Our processes follow a globally approved, repeatable, and reliable quality management framework.
Recognised for excellence in technology and innovation — proof of our commitment to world-class delivery.
Decades of multi-industry expertise protecting high-risk and enterprise-scale applications.
Immediate response when every minute matters.
The vulnerability CVE-2025-66478 represents a fundamental challenge to the security of any application that makes use of the Next.js App Router. It is essentially a trial of the robustness of a company's security measures and their ability to react.
Our security provision for all applications that we manage is always of the highest standard. Never take this RCE issue lightly.
If your application uses the Next.js App Router and requires immediate, expert assistance to ensure compliance and security validation, contact our expert team immediately.
If your project uses the Next.js App Router (/app directory) or runs on a vulnerable React Server Components (RSC) version, it is likely affected. Apps using only the Pages Router are generally safe but still need a dependency audit.
The vulnerability allows attackers to execute code on your server, not the browser, making it a remote code execution (RCE) threat. This means hackers could potentially gain full control over your application or server environment if left unpatched.
To fix the vulnerability, upgrade to the latest patched version of Next.js and React immediately. Review your server configurations, security headers, and dependencies, and perform a security audit to verify that all RSC-related risks are fully patched.
Mostly yes. The RCE attack vector is tied to React Server Components, which the older Pages Router does not use. However, if your Next.js version supports App Router features, you still need to audit and update all dependencies.
Implement ongoing dependency monitoring, enable CSP and security headers, use automated security scanning tools, and maintain regular code audits. Partnering with an experienced Next.js security team helps ensure rapid response when new vulnerabilities appear.
December 10, 2025Learn about the critical Next.js App Router RCE vulnerability (CVE-2025-66478), who is affected, and how to fix it quickly to protect your application.
Keep Reading
November 28, 2025Get a clear breakdown of website development costs for 2026. Learn how design, features, scalability, and maintenance shape your budget and how to plan smartly.
Keep Reading
November 28, 2025Boost efficiency with AI-driven and low-code Odoo solutions. Discover how Dotsquares helps businesses automate, scale, and streamline operations with ease.
Keep Reading