Zoonop

Critical RCE Vulnerability Prompts Urgent Next.js Update Call, Vercel CEO Hints at Further Developments

Image for Critical RCE Vulnerability Prompts Urgent Next.js Update Call, Vercel CEO Hints at Further Developments

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-66478, has been discovered in the Next.js framework, affecting versions 15.x and 16.x. The flaw, stemming from insecure deserialization in the React Server Components (RSC) "Flight" protocol, allows for unauthenticated RCE on affected servers with default configurations. Immediate patching is required for all users, as the vulnerability carries a critical severity score of 10.0.

Guillermo Rauch, CEO of Vercel, the company behind Next.js, acknowledged the situation on social media, stating, "> Noice. More to come," in response to a user's comment, signaling ongoing efforts and potential further announcements from the company. This comes shortly after the release of Next.js 16 on October 21, 2025, which introduced significant advancements to the framework. The vulnerability, also mirrored in React as CVE-2025-55182, was publicly disclosed on December 3, 2025.

Wiz Research data indicates that approximately 39% of cloud environments contain instances of Next.js or React in vulnerable versions, with 44% of all cloud environments having publicly exposed Next.js instances. Exploitation requires only a specially crafted HTTP request, making the threat highly potent and emphasizing the urgency of the recommended updates. Harden releases for both React (19.2.1) and Next.js are now available to address the flaw.

The recently released Next.js 16 brought several key features, including stable Turbopack as the default bundler, new Cache Components for explicit caching, and integration with React 19.2. It also introduced Next.js DevTools MCP for AI-assisted debugging and refined caching APIs like updateTag() for immediate cache invalidation. Despite these innovations, the severe security vulnerability overshadows the recent feature enhancements.

Developers are strongly urged to update their Next.js and React dependencies to the latest hardened versions immediately. Google Cloud has also rolled out a new Cloud Armor web application firewall (WAF) rule (cve-canary) as a temporary mitigation, but patching the underlying frameworks remains the most comprehensive long-term solution to eliminate the vulnerability at its source.