What is Next.js CVE-2025-66478 (React2Shell)? Impact and the fastest fix

2026-02-19 · 1 min read

A short, practical overview of Next.js App Router/RSC vulnerability CVE-2025-66478 (React2Shell): affected versions, patched releases, and what operators should do immediately.

Table of contents

1-minute summary
Affected scope
Patched versions
Minimal ops checklist
References

1-minute summary

A critical vulnerability affecting Next.js App Router / React Server Components was disclosed. The fastest, safest response is:

upgrade to a patched Next.js version immediately
rotate secrets if your app was exposed while unpatched

Affected scope

Per the official advisory, certain Next.js versions using App Router (RSC) are affected.

Patched versions

In some environments, hosting providers may block vulnerable versions during build. Upgrade to an officially patched release (e.g. 15.1.9+).

Minimal ops checklist

upgrade Next.js
rotate critical secrets if needed
treat hosting/security advisories as production incidents

References

Next.js Security Advisory: CVE-2025-66478