How to Fix the Next.js RCE Vulnerability (CVE-2025-66478)

What Is the Next.js RCE Vulnerability (CVE-2025-66478)?

If your website or application is built using Next.js (App Router), this update is extremely important.

A newly discovered security flaw (CVE-2025-66478) has exposed many applications to the risk of Remote Code Execution (RCE) — the most serious type of security issue, where attackers can run their own code on your server.

The root cause of the vulnerability is in the upstream React implementation (CVE-2025-55182). This warning (CVE-2025-66478) corresponds to the local performance of the React impact on Next.js applications using the App ‌‍‌‍‍‌‍‌‍router.

What Happened?

The architectural change that introduced the App Router in Next.js also introduced a dependency on React Server Components (RSC). The RSC protocol is designed to securely render components on the server before streaming the output to the client.

The flaw lies not in Next.js itself, but in how the upstream RSC protocol handles specific attacker-controlled data streams during component hydration and processing. Essentially,‍‌‍‍‌‍‌‍‍‌ this weakness lets bad data that was meant for the client be misread by the server as code that can be run during this phase of the server interaction.
This flaw can be triggered simply by sending a specially crafted request to your website, no login required, no special access needed.

If exploited, attackers could potentially:

• Take control of your server

• Steal or modify data

• Interfere with website functionality

• Install malicious code

As the attacked code runs on the server, the bug circumvents normal security mechanisms of the browser as well as firewalls, hence it is an RCE vulnerability, the most severe kind of security defect. 

Who Is Affected with (CVE-2025-66478)

Due to the fundamental nature of the exploited protocol, the scope is narrow but the risk is absolute for those affected. 

Who Is Affected (Immediate Action Required):

• All Next.js applications running the App Router. If your project uses the /app directory structure, you are considered high-risk, regardless of how simple your application is.
• Any application using a vulnerable version of Next.js that supports the App Router structure.

Who Is NOT Affected (Verification Still Required):

• Applications still running the older Pages Router structure (/pages directory only). While the upstream React vulnerability exists, the attack vector specific to this CVE chain (RSC processing) is not present.
• Projects running the newest, patched versions as specified in the official advisory.

Our directive is clear: Even if you primarily use the Pages Router, all dependencies must be audited. If your project has the capacity to run the App Router (based on your Next.js version), it requires immediate inspection and patching.

Steps to Fix the Next.js RCE Vulnerability

Given the critical nature of RCE, the window for attacker exploitation is narrow. This is not a matter of scheduling; it is a matter of immediate execution.

Phase 1: Immediate Remediation

1. Stop Development: Halt all non-essential deployments and feature work on affected Next.js projects immediately.
2. Consult Advisory: Pinpoint the exact vulnerable version ranges for Next.js by consulting the official advisory from Vercel.
3. Patch/Upgrade: Immediately upgrade all affected projects to the patched version recommended by the advisory. This must be tested on a separate branch before deployment.
4. Configuration Check: Review and reinforce security headers and Content Security Policy (CSP) to mitigate secondary attack vectors.

Phase 2: Post-Patch Validation

1. Security Audit: Conduct a focused security audit specifically targeting data flow within API routes and Server Components to ensure the RCE vector is completely closed.
2. Regression Testing: Ensure the critical patch has not introduced new bugs or broken functionality, especially in data-heavy sections of the application.
3. WAF/Firewall Review: Verify that your Web Application Firewall (WAF) or other external security measures are up-to-date and configured to log and block abnormal request patterns.

How Dotsquares Can Help You Secure Your Next.js Application

Handling a CVSS 10.0 RCE vulnerability is a matter that demands deep expertise in the Next.js runtime environment, understanding of continuous integration pipelines, and familiarity with advanced security auditing tools. The specialist teams we have in place can provide the necessary support to companies which cannot afford to deploy their own teams on the spot.

Our Specialised RCE Remediation Service Includes:

• Urgent Version Auditing: Rapid identification of all vulnerable assets across your development environment.
• Guaranteed Patches & Deployment: Secure, rapid patching and deployment to the latest stable version, ensuring zero production downtime.
• Post-Patch Hardening: Review and implementation of best-practice security headers and environment variable isolation to prevent future logic exposure.
• Security Compliance Reporting: Providing detailed documentation and audit reports confirming the remediation status for internal governance and client assurance.
• Long-Term Strategy: Consulting on upgrading your application security practices to integrate dependency scanning and continuous code auditing, transforming your security approach from reactive to proactive.

Why Businesses Trust Dotsquares for Critical Security Issues

✔ ISO 27001 Certified — Information Security Management

Your platform is handled under strict, internationally recognised security standards.

✔ ISO 9001:2015 Certified — Quality Management

Our processes follow a globally approved, repeatable, and reliable quality management framework.

✔ Award-Winning Team (European Technology Awards 2023)

Recognised for excellence in technology and innovation — proof of our commitment to world-class delivery.

✔ 23+ Years of Experience Across 1000+ Secured Applications

Decades of multi-industry expertise protecting high-risk and enterprise-scale applications.

✔ 24/7 Global Support From Certified Security Specialists

Immediate response when every minute matters.

Conclusion

The vulnerability CVE-2025-66478 represents a fundamental challenge to the security of any application that makes use of the Next.js App Router. It is essentially a trial of the robustness of a company's security measures and their ability to react.

Our security provision for all applications that we manage is always of the highest standard. Never take this RCE issue ‍‌‍‍‌‍‌‍‍‌lightly.

If your application uses the Next.js App Router and requires immediate, expert assistance to ensure compliance and security validation, contact our expert team immediately.

Next.js RCE Security: Your Most Common Questions Answered

1. How do I know if my Next.js app is affected by the RCE vulnerability?

If your project uses the Next.js App Router (/app directory) or runs on a vulnerable React Server Components (RSC) version, it is likely affected. Apps using only the Pages Router are generally safe but still need a dependency audit.

2. What is the Next.js RCE vulnerability and why is it so dangerous?

The vulnerability allows attackers to execute code on your server, not the browser, making it a remote code execution (RCE) threat. This means hackers could potentially gain full control over your application or server environment if left unpatched.

3. How can I fix the Next.js RCE issue in my application?

To fix the vulnerability, upgrade to the latest patched version of Next.js and React immediately. Review your server configurations, security headers, and dependencies, and perform a security audit to verify that all RSC-related risks are fully patched.

4. Are Next.js applications using the Pages Router safe from this exploit?

Mostly yes. The RCE attack vector is tied to React Server Components, which the older Pages Router does not use. However, if your Next.js version supports App Router features, you still need to audit and update all dependencies.

5. What steps should businesses take to protect their Next.js applications from future vulnerabilities?

Implement ongoing dependency monitoring, enable CSP and security headers, use automated security scanning tools, and maintain regular code audits. Partnering with an experienced Next.js security team helps ensure rapid response when new vulnerabilities appear.