AIKIDO-2025-10869

next is vulnerable to Remote Code Execution (RCE)

Remote Code Execution (RCE)CVE-2025-66478

100

Critical Risk

This Affects:

15.0.0 - 15.0.4

Fixed in 15.0.5

15.1.0 - 15.1.8

Fixed in 15.1.9

15.2.0 - 15.2.5

Fixed in 15.2.6

15.3.0 - 15.3.5

Fixed in 15.3.6

15.4.0 - 15.4.7

Fixed in 15.4.8

15.5.0 - 15.5.6

Fixed in 15.5.7

16.0.0 - 16.0.6

Fixed in 16.0.7

TL;DR

Affected versions of this package are vulnerable to unauthenticated remote code execution due to a flaw in how React Server Components decode payloads sent to Server Function endpoints. The issue can be exploited even if no Server Function endpoints are explicitly implemented. Attackers can craft malicious HTTP requests that lead to code execution on the server. Users of affected frameworks such as Next.js, react-router, waku, Parcel RSC, Vite RSC, and Turbopack should upgrade immediately.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

next is vulnerable to Remote Code Execution (RCE) in versions 16.0.0 - 16.0.6, 15.5.0 - 15.5.6, 15.4.0 - 15.4.7, 15.3.0 - 15.3.5, 15.2.0 - 15.2.5, 15.1.0 - 15.1.8 and 15.0.0 - 15.0.4.