GHSA-9qr9-h5gf-34mp: Next.js is vulnerable to RCE in React flight protocol

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-66478

Next.js is vulnerable to RCE in React flight protocol

Critical severity GitHub Reviewed Published Dec 3, 2025 in vercel/next.js • Updated Dec 3, 2025

Affected versions

>= 14.3.0-canary.77, < 15.0.5

>= 15.1.1-canary.0, < 15.1.9

>= 15.2.0-canary.0, < 15.2.6

>= 15.3.0-canary.0, < 15.3.6

>= 15.4.0-canary.0, < 15.4.8

>= 15.5.1-canary.0, < 15.5.7

>= 16.0.0-canary.0, < 16.0.7

Patched versions

15.0.5

15.1.9

15.2.6

15.3.6

15.4.8

15.5.7

16.0.7

A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

1 The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

References

• GHSA-9qr9-h5gf-34mp
• https://nvd.nist.gov/vuln/detail/CVE-2025-66478

Published to the GitHub Advisory Database

Dec 3, 2025