Critical React2Shell Vulnerability (CVE-2025-66478) Enables Remote Code Execution in Next.js Applications

Credited by Freepik

VTA-004545 – Critical React2Shell Vulnerability (CVE-2025-66478) Enables Remote Code Execution in Next.js Applications

The React2Shell vulnerability (CVE-2025-66478) exposes a critical remote code execution flaw in Next.js applications using React Server Components with the App Router, stemming from an upstream React vulnerability (CVE-2025-55182) in the RSC protocol.

Attackers can craft malicious requests that manipulate server-side execution paths, potentially granting full server control with CVSS 10.0 severity. The vulnerability affects Next.js 15.x, 16.x, and specific 14.x canary releases, while stable Next.js 13.x/14.x and Pages Router applications remain unaffected

Mitigation requires immediate upgrading to patched Next.js versions (15.0.5, 15.1.9, etc.), implementing web application firewalls to detect malicious RSC traffic, and conducting security audits of potentially compromised applications, as there are no configuration-based workarounds for this protocol-level vulnerability.

Severity:
High

Attack Surface:
Infrastructure, Server OS, Web Application, Web Browser

Tactics:
Execution, Impact, Initial Access

Techniques:
T1190 – Exploit Public-Facing Application
T1212 – Exploitation for Credential Access
T1059 – Command and Scripting Interpreter
T1133 – External Remote Services

References:
1. https://nextjs.org/blog/CVE-2025-66478

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/6933e9bd88e039cb2c2b9d1d

SuperPRO’s Threat Countermeasures Procedures:
1. Immediately upgrade Next.js applications to patched versions (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7).
2. Downgrade from vulnerable Next.js 14.x canary releases (14.3.0-canary.77+) to stable 14.x versions.
3. Implement web application firewalls to monitor and block malicious RSC protocol requests.
4. Conduct security audits of affected Next.js applications for signs of exploitation.
5. Restrict network access to development and staging environments running vulnerable versions.
6. Monitor server logs for unusual RSC protocol activity or unexpected process execution.
7. Implement runtime application self-protection (RASP) for additional defense-in-depth.
8. Establish regular vulnerability scanning for application dependencies and frameworks.

Contributed by: Thivya