Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Next.js: Remote Code Execution via React Server Components (CVE-2025-66478, REJECTED — see CVE-2025-55182)

CVE-2025-66478 Critical Published
CVSS
10 Critical
EPSS
0
CWE
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
Vector

Summary

Per Praetorian’s blog: “This vulnerability, tracked as CVE-2025-66478, stems from an upstream issue in the React Server Components (RSC) protocol (CVE-2025-55182). … The vulnerability resides in how the React Server Components (RSC) protocol deserializes user input on the server. Specifically, it allows untrusted inputs to influence the execution of server-side logic via the Next-Action header.” Per NVD on CVE-2025-55182: “A pre-authentication remote code execution vulnerability exists in React Server Components … The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.”

Affected Packages / Versions

  • Package: next.js (npm) / React Server Components (—)
  • Latest published version at triage time: Per CVE-2025-55182: react-server-dom-* 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • Affected range: NVD has REJECTED CVE-2025-66478 as a duplicate of CVE-2025-55182. Per CVE-2025-55182: "React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack."
  • Patched version: See React advisory tied to CVE-2025-55182 (specific version not enumerated by NVD at fetch time)

Impact

Per Praetorian’s blog: “sending this payload to a vulnerable Next.js server allows the attacker to traverse the prototype chain (__proto__) to access the constructor. This effectively grants access to the Function constructor“, enabling the execution of arbitrary JavaScript code within the context of the running server process.” Praetorian validated a working exploit against vulnerable environments.

Severity Rationale

Originally CVSS 10.0 (Critical) per Praetorian’s blog header. NVD’s surviving record CVE-2025-55182 also scores 10.0, scope-changing, with full CIA. Track severity via CVE-2025-55182.

Fix

Per Praetorian’s blog: “Immediate action is required.” Operators should apply the React Server Components / Next.js update that addresses CVE-2025-55182. Reviewer should confirm specific patched versions against the upstream React advisory before publication.

Disclosure timeline

  • TBDReported to vendor
  • TBDPatch released
  • Dec 4, 2025Public disclosure (per Praetorian blog header)

Fix Commit(s)

    References

    Discovered by Nathan Sportsman · Published April 29, 2026