Skip to main content
A critical vulnerability in Next.js requires immediate attention if you’re running applications with the App Router. The issue, tracked as CVE-2025-66478, has received a CVSS score of 10.0—the highest severity rating possible. This vulnerability affects the React Server Components (RSC) protocol and can allow remote code execution when processing attacker-controlled requests. The issue stems from an upstream React implementation vulnerability (CVE-2025-55182) that impacts Next.js applications using the App Router.

Which versions are affected?

The vulnerability affects Next.js applications using React Server Components with the App Router in these versions:
  • Next.js 15.x (all minor versions)
  • Next.js 16.x (all minor versions)
  • Next.js 14.3.0-canary.77 and later canary releases
Good news: Next.js 13.x, Next.js 14.x stable releases, Pages Router applications, and the Edge Runtime are not affected.

What’s the risk?

The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft requests that trigger unintended server execution paths. This can result in remote code execution in unpatched environments. The Next.js team is intentionally limiting technical details to protect developers who haven’t upgraded yet.

How to fix this now

Upgrade to the latest patched version in your release line: 
# For Next.js 15.0.x
npm install next@15.0.5

# For Next.js 15.1.x
npm install next@15.1.9

# For Next.js 15.2.x
npm install next@15.2.6

# For Next.js 15.3.x
npm install next@15.3.6

# For Next.js 15.4.x
npm install next@15.4.8

# For Next.js 15.5.x
npm install next@15.5.7

# For Next.js 16.0.x
npm install next@16.0.7
If you’re running Next.js 14.3.0-canary.77 or later canary releases, downgrade to the latest stable 14.x release: 
npm install next@14
There’s no configuration option to disable the vulnerable code path. Upgrading is your only option.

Update your Upsun deployments

After updating your Next.js version locally, commit the changes and push to your repository. Upsun will automatically rebuild and redeploy your application with the patched version. 
# Update your package.json
npm install next@15.0.5

# Commit the change
git add package.json package-lock.json
git commit -m "Security: Update Next.js to 15.0.5 (CVE-2025-66478)"

# Push to trigger deployment
git push upsun main
Your Upsun environment will rebuild with the secure Next.js version during the deployment process.

Test before production

Use Upsun’s preview environments to test the update before deploying to production. Create a new branch, update Next.js, and push: 
git checkout -b security-update
npm install next@15.0.5
git add package.json package-lock.json
git commit -m "Security: Update Next.js to 15.0.5"
git push upsun security-update
Upsun creates a complete preview environment with a production clone. You can test the updated version thoroughly before merging to your production branch.

Verify your update

After deployment, check your running Next.js version in your Upsun environment: 
upsun ssh
cd /app
npm list next
This confirms you’re running a patched version.

Credit and disclosure

Lachlan Davidson discovered and responsibly disclosed this vulnerability. The coordinated disclosure process allowed the Next.js team to develop and release patches before public announcement.

Learn more

Read the full technical details in the Next.js security advisory and the upstream React CVE-2025-55182 advisory. For questions about deploying secure Next.js applications on Upsun, check our Next.js deployment guide.
Deploy secure Next.js applications on Upsun with built-in preview environments and automated deployments. Create your free account to get started.
Last modified on April 27, 2026