A critical vulnerability (CVE-2025-66478) has been identified in the React Server Components protocol. Users should upgrade to patched versions immediately.

The Next.js Blog provides insights, updates, and tutorials on Next.js, a popular React framework for building server-side rendered (SSR) and static websites. Developers can learn about Next.js features, routing mechanisms, and data fetching strategies, as well as explore real-world examples and use cases of Next.js applications.

Next.js

A critical CVSS 10.0 vulnerability (CVE-2025-66478) in React Server Components protocol enables remote code execution through attacker-controlled requests. Next.js applications using App Router in versions 15.x, 16.x, and 14.3.0-canary.77+ are affected. Patched versions are now available (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7). Immediate upgrade is required as no configuration workaround exists. Pages Router and Edge Runtime applications are unaffected.

Security Advisory: CVE-2025-66478