CVE-2025-66478

Published Dec 3, 2025

Last updated 2 months ago

React
Next.js
react2shell

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-66478 is a critical vulnerability affecting Next.js applications that use the App Router. This vulnerability, along with CVE-2025-55182 which affects React, allows for unauthenticated remote code execution (RCE). The flaw stems from insecure deserialization within the React Server Components (RSC) "Flight" protocol. Exploitation is possible through a crafted HTTP request, even in default configurations of Next.js applications created with `create-next-app`. Patched versions of React (19.0.1, 19.1.2, and 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7) are available and users are advised to upgrade immediately. Fastly has also released a Virtual Patch for their NGWAF to help mitigate exploitation attempts.

Description
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
Source
security-advisories@github.com
NVD status
Rejected

Insights

Analysis from the Intruder Security Team
Published Dec 4, 2025 Updated Dec 9, 2025

This vulnerability allows for code execution via a deserialisation vulnerability within the react-server-dom packages. This will affect React, NextJS and downstream projects who utilise these frameworks.

AssetNote released a technical research post and detection technique which is effective at identifying unpatches instances, where as full RCE chains may fail due to WAF's fingerprinting those payloads and bypasses heavily. Vercel's CEO released a simple breakdown of the issue and how it works.

We have witnessed widespread exploitation activity for this vulnerability, especially exploiting this to deploy an in-memory webshell. There has been some community efforts to detect exploitation activity, however exploiting this vulnerability usually leaves little to no trace which is difficult for defenders.

Patching immediately is the only effective strategy for dealing with this vulnerability.

Social media

Hype score
Not currently trending

  1. 包括的なセキュリティアーキテクチャレポート:Next.js 16 の脆弱性分析と強化戦略(CVE-2025-66478) https://t.co/HQzjYNYFpA

    @SolanaLinkJP

    19 Jan 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVSS 10.0 React2Shell masterpiece (CVE-2025-55182 / CVE-2025-66478) in @nextjs turned our client's production server into a 24/7 crypto mining rig in minutes :)))) A month of forensic digging later we discover the miners were politely hiding inside node_modules like Easter eggs

    @petsonii

    16 Jan 2026

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. #VulnerabilityReport #AppRouter Maximum Severity Alert: Critical RCE Flaw Hits Next.js (CVE-2025-66478, CVSS 10.0) https://t.co/CkaJZMMtMg

    @Komodosec

    10 Jan 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Learnt about CVE (Common Vulnerabilities and Exposures) and how they affect older versions of Next.js. While updating a project, I ran into CVE-2025-66478. Keeping frameworks updated isn’t just about features — it’s about security 🔐😲

    @GrundeO123

    10 Jan 2026

    68 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Este repositorio habría sido utilizado como punto inicial en el compromiso de la UNAM, explotando una vulnerabilidad conocida que fue registrada el 3 de diciembre de 2025 (CVE-2025-66478): https://t.co/N6YcZIvVzp Es altamente probable que actores de ciberdelincuencia hayan ht

    @ivancastl

    7 Jan 2026

    22679 Impressions

    70 Retweets

    404 Likes

    145 Bookmarks

    4 Replies

    3 Quotes

  6. Dear @TonyRobbins & @deangraziosi I have found a bug in your website https://t.co/8FsVFNkAnJ That allows me to Remote code execution (RCE). This is the critical React2Shell flaw (CVE-2025-66478 / CVE-2025-55182) affecting unpatched Next.js apps – allowing full root shell

    @khadafigans_

    6 Jan 2026

    103 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  7. Dear @OfficialB360, I reported an unauthenticated Remote Code Execution vulnerability on your website (https://t.co/WKe1KHPPly) via email This is the critical React2Shell flaw (CVE-2025-66478 / CVE-2025-55182) affecting unpatched Next.js apps – allowing full root shell access

    @khadafigans_

    4 Jan 2026

    327 Impressions

    2 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Dear @OfficialB360, I reported an unauthenticated Remote Code Execution vulnerability on your website (https://t.co/WKe1KHPPly) via email This is the critical React2Shell flaw (CVE-2025-66478 / CVE-2025-55182) affecting unpatched Next.js apps – allowing full root shell access

    @khadafigans_

    4 Jan 2026

    9 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Dear @OfficialB360, I reported an unauthenticated Remote Code Execution vulnerability on your website (https://t.co/WKe1KHPPly) via email This is the critical React2Shell flaw (CVE-2025-66478 / CVE-2025-55182) Discover my tools : https://t.co/IJs1ItYjq0 https://t.co/MvFSMHgiwM

    @khadafigans_

    4 Jan 2026

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🔥 React2Shell RCE Exploit (CVE-2025-66478) is out! 🔥 A critical remote code execution vulnerability exploit for #React apps. Use for authorized testing only! ⚠️ #cybersecurity #infosec #exploit #CVE https://t.co/RRXWcvL61o https://t.co/43Zio4BViw

    @TheExploitLab

    3 Jan 2026

    272 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. Just when the gate closed, Vecna slipped back in through code. 💻🧟‍♂️ CVE-2025-66478: one poisoned request, total takeover. ⚠️ Astra detected it. Contained it. But Vecna isn’t gone… yet. 🔍 Episode 3 coming. The real fight begins.#NextJS #StrangerThings #As

    @getastra

    2 Jan 2026

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. به تازگی گروه هکری با نام PCPcat از دو آسیب پذیری با کد های شناسایی CVE-2025-29927 و CVE-2025-66478 برای نفوذ به سرورها استفاده می کنند. یکی از این آسیب پذیری ها مربوط به آسی

    @AmirHossein_sec

    25 Dec 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours A massive credential-theft campaign dubbed PCPcat compromised 59,128 Next.js servers in under 48 hours. The operation exploits critical vulnerabilities CVE-2025-29927 and CVE-2025-66478, achieving a 64.6%

    @redhuvivek09

    25 Dec 2025

    161 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. 🚨 Operation PCPcat: Credential-Stealing Campaign Hijacks 59,000+ Next.js Servers via React/Next.js RCE A mass exploitation campaign is compromising internet-facing Next.js deployments by chaining CVE-2025-29927 and CVE-2025-66478 for RCE, then scraping high-value secrets (.env

    @ThreatSynop

    25 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 59,128台のNext.jsサーバが48時間でハッキングされた。Beelzebub社報告。CVE-2025-29927とCVE-2025-66478の連鎖。攻撃成功率は64.6%。C2サーバ偵察による調査。活動をOperation PCPcatと命名。 https://t.co/FIwX4EOrYX

    @__kokumoto

    24 Dec 2025

    3471 Impressions

    14 Retweets

    46 Likes

    16 Bookmarks

    0 Replies

    1 Quote

  16. #threatreport #LowCompleteness Original Paper | React2Shell Exploit Analysis Report | 20-12-2025 Source: https://t.co/xgDGbMYGNm Key details below ↓ 💀Threats: React2shell_vuln, 🎯Victims: Technology sector 🌐Geo: China, Germany 🔓CVEs: CVE-2025-66478 https://t.co/X

    @rst_cloud

    23 Dec 2025

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. [긴급] React·Next.js서 심각도 10 취약점 발견... 인증 없이 원격 코드 실행 가능 RCS 역직렬화 결함이 불러온 ‘CVSS 10.0’ 최악의 버그 기본 설정만으로도 뚫린다... 해당 결함은 CVE-2025-55182로 명명 Next.js 애플리케이

    @gptkim33

    23 Dec 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 ALERTA CRÍTICO: Corrija o RCE do Next.js Agora! (CVE-2025-66478 ) Se sua empresa roda Next.js (App Router) em produção, pare agora. O CVE-2025-66478 é um RCE nível 10. Basicamente, entrega a chave do servidor. https://t.co/qQNM0AiX1e Acabei de soltar uma análise técn

    @pedrofrei4s

    22 Dec 2025

    21 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  19. Apparently most of SF’s power grid was running on a vulnerable version of Next.js and now the entire city’s power supply is being used to mine Monero. This is your sign to upgrade immediately. CVE-2025-66478 takes no prisoners. https://t.co/Qh4v6I6mVx

    @michael_chomsky

    21 Dec 2025

    2628 Impressions

    4 Retweets

    32 Likes

    4 Bookmarks

    2 Replies

    0 Quotes

  20. A server owner learned the hard way that "I don't use Next.js" doesn't guarantee safety. Their server was found mining cryptocurrency, exploited via an analytics tool due to a critical Next.js vulnerability (CVE-2025-66478). 1/5

    @liqilin3

    18 Dec 2025

    29 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  21. 🚨 New Outbreak Alert: Critical unauthenticated RCE (#React2Shell) actively exploited in the wild, impacting React Server Components and vulnerable Next.js implementations (CVE-2025-55182, CVE-2025-66478). 🔗 Get full details and mitigation guidance: https://t.co/dnn9XFGKEh

    @FortiGuardLabs

    17 Dec 2025

    262 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  22. react2shell #exploit #scanner A CLI tool to exploit prototype pollution vulnerabilities in React Server Components / Server Actions (CVE-2025-55182 & CVE-2025-66478), enabling remote code execution (RCE) on vulnerable servers. https://t.co/LCO0fnt4pO

    @TheExploitLab

    17 Dec 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. React2Shell #exploit An advanced command-line framework for discovery, validation, and exploitation of CVE-2025-55182 and CVE-2025-66478 affecting Next.js applications using React Server Components (RSC). https://t.co/1JtUXwLfg4

    @TheExploitLab

    17 Dec 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. CVE-2025-66478-Exploit-PoC #exploit Proof-of-concept exploit demo for CVE-2025-66478 using Node.js https://t.co/OMpRGwe90P

    @TheExploitLab

    17 Dec 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. 🔐 Don’t hack me, please! 🙏✨ > bunx fix-react2shell-next 🛡️ fix-react2shell-next — Next.js vulnerability scanner A quiet guardian, checking the seams of your code 🌙 🔍 Scanning for 4 known vulnerabilities: 🚨 CVE-2025-66478 (critical): Remote code ex

    @racheltnguyen

    16 Dec 2025

    58 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  26. PCPcat malware compromises 59,000+ servers in under 48 hours via React2Shell exploit, abusing .js/React RCE flaws CVE-2025-29927 and CVE-2025-66478 for unauthenticated remote code execution. #Malware https://t.co/3iSPlAiBTl

    @threatcluster

    15 Dec 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. Anyone else hitting this on Vercel? ⚠️ Vulnerable version of Next.js detected (CVE-2025-66478). Fix that worked for me: npx fix-react2shell-next Curious who else ran into this https://t.co/pn98maulPz

    @Tushar_Jsx

    15 Dec 2025

    112 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. 0G Foundation hit by breach via critical .js flaw CVE-2025-66478 on Dec 5 2025, with 520,010 $0G drained through the reward contract emergency withdrawal and bridged across platforms. #DeFi https://t.co/tZ7HBUxHbg

    @threatcluster

    13 Dec 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 🔴 React Server Components: 3 New CVEs Surface After React2Shell React2Shell (CVE-2025-55182 + CVE-2025-66478) spawned three more RSC vulnerabilities within days. CVE-2025-55183 leaks server-side source code including secrets when attackers coerce Server Functions to return

    @the_c_protocol

    13 Dec 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. React2Shell (CVE-2025-55182, CVE-2025-66478)、Burpでスキャン対応してるけどどういう検知なのか見る時間がない https://t.co/dppOQySCIZ

    @__kokumoto

    13 Dec 2025

    3582 Impressions

    3 Retweets

    24 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  31. Looks important 😨 ⚠️ CVE Update: CVE-2025-66478 is officially a duplicate of CVE-2025-55182. Same root cause: Both stem from same vulnerability. Not a false positive: Detections for 66478 remain valid. Canonical ID: Use CVE-2025-55182 moving forward. Read https://t.co/KbVX

    @InfoSecSherpa

    12 Dec 2025

    205 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. 【Next.js】CVE-2025-66478対策は、とりあえず npx fix-react2shell-next した|div.sawa https://t.co/xW1bL8x2Hw #zenn

    @yousukezan

    11 Dec 2025

    753 Impressions

    0 Retweets

    4 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  33. Recently, the core React team at Meta and the Next.js team at Vercel jointly announced two Critical security vulnerabilities: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). Both vulnerabilities have a maximum CVSS score of 10. Click the link to learn about Alibaba Cloud’

    @alibaba_cloud

    11 Dec 2025

    6415 Impressions

    4 Retweets

    13 Likes

    2 Bookmarks

    2 Replies

    0 Quotes

  34. React2shell detection payload by @assetnote team (CVE-2025-55182 & CVE-2025-66478) #bugbounty #bugbountytips #infosec https://t.co/UctlZp2SGT

    @viehgroup

    11 Dec 2025

    1706 Impressions

    3 Retweets

    38 Likes

    15 Bookmarks

    0 Replies

    0 Quotes

  35. React Server Components(RSC)に影響する脆弱性の注意喚起📢 RSCに影響するリモートコード実行(RCE)の脆弱性 CVE-2025-55182 および CVE-2025-66478 が発表されました。 各プラットフォームのサポート情報とWafCharmでの対

    @WafCharm_JP

    11 Dec 2025

    78 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. アプリとは別のNextJSで運用しているサービスで、適用に手が回ってなかったCVE-2025-66478でまんまとマイニング動かされてGoogleCloudのプロジェクト止められたので皆さんもお気をつけください🫠

    @BySho2Team

    10 Dec 2025

    38 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  37. Why CVE-2025-55182 and CVE-2025-66478 Demand Immediate Attention: Over the past decade, some of the most damaging cyber incidents were caused not by zero-days, but by publicly disclosed CVEs that organizations failed to patch in time. We are now witnessing a similar pattern: ht

    @vigneshk_07

    10 Dec 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. There’s a new React vulnerability making waves right now (CVE-2025-55182 / CVE-2025-66478). It affects React Server Components and certain Next.js versions, leading to a pretty serious RCE vector if you’re running the wrong setup. To help devs quickly check their apps, I bu

    @SoloHacker47

    10 Dec 2025

    305 Impressions

    0 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. 🚨 Critical RCE flaws CVE-2025-55182 & CVE-2025-66478 put React/Next.js apps at risk. No auth required for data theft. Barracuda Application Protection provides automatic defense & real-time updates. #BarracudaONEplatform #React2Shell #ApplicationProtectio #@barracuda

    @loophold

    10 Dec 2025

    133 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. 🚨 Next.js [—] Dec 10, 2025 Comprehensive Security Advisory on Critical RCE Vulnerabilities (CVE-2025-55182/CVE-2025-66478) Impacting Next.js and Associated Server-Side Ecosystem Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1... https://t.co/zXVr9fFYTE

    @transilienceai

    10 Dec 2025

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. https://t.co/hqIG7KV4ef CVE-2025-66478 addresses a security vulnerability in Next.js that could potentially allow unauthorized access to sensitive information or allow attackers to manipulate applications built using the framework. #Developers #React #Nextjs

    @AyushSahay19

    9 Dec 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. Fixed your Next.js app for CVE-2025-66478 yet? Run this to check if you’re vulnerable: npx fix-react2shell-next https://t.co/nkbELln0jl https://t.co/764iL9Nayf

    @srbcode

    9 Dec 2025

    77 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  43. 🔴 CVE-2025-66478 & CVE-2025-55182 - Next.js RSC RCE Risk Two critical Next.js vulnerabilities in Server Components create path to remote code execution. CVE-2025-66478 lets attackers inject malicious React elements via tainted props. CVE-2025-55182 is server-side request

    @the_c_protocol

    9 Dec 2025

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. 🚨 Next.js/RSC 10/10 VULNS are live! I'm @yz9yt. Use ReactHunter: the advanced scanner for bulk testing & specific exploits (CVE-2025-66478 bypass). Scan your apps now:👉 https://t.co/iqYX73WRDo #RSC #NextJS #infosec #bugbounty

    @yz9yt

    9 Dec 2025

    240 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. Heard so many people on X got attacked via CVE-2025-66478; most of them are just lying, since most @nextjs .js apps are hosted on @vercel. If they're not hosted on Vercel, those teams have scale to mitigate this risk themselves. The Vercel team handled it fairly well. Opinions?

    @taheerBuilds

    9 Dec 2025

    98 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. Find out if you are vulnerable to the React2Shell vulnerability, covering both official tracking IDs: • React Server Component exposure – CVE-2025-55182 • Next.js App Router RCE chain – CVE-2025-66478 The SecPoint Penetrator verifies real-world exploitability using remo

    @secpoint

    9 Dec 2025

    201 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  47. React2Shell (CVE-2025-55182 / Next.js CVE-2025-66478) has completely heated up. Security teams everywhere are scrambling as attackers race to target any web application running React Server Components. The RSC Flight protocol flaw is trivial to probe, easy to automate, and https:

    @suhasgopinath

    9 Dec 2025

    450 Impressions

    0 Retweets

    0 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  48. After #React2Shell CVE-2025-55182,CVE-2025-66478 https://t.co/38VzuG1DKa

    @PakCyberbot

    9 Dec 2025

    293 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. 🚨 Yesterday was a wake-up call. My server got compromised through a malware attack targeting React + Next.js applications. This wasn’t a random vulnerability — it was tied to the recent zero-day exploits CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). The payload sil

    @portfolio2video

    9 Dec 2025

    93 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🚨 Critical Security Alert for Next.js Developers 🚨 A high-severity Request Smuggling vulnerability (CVE-2025-66478) has been disclosed affecting self-hosted Next.js applications. ⚠️ Action Required: Check your version and upgrade to the latest patch immediately.

    @DigiClemR

    9 Dec 2025

    186 Impressions

    1 Retweet

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.