FLAT-VX0Q0 – Vulnerability

Insecure deserialization In next

Ecosystem	Package	Affected version	Patched versions
npm default	next	>=14.3.0-canary.77 <15.0.5 \|\| >=15.1.1-canary.0 <15.1.9 \|\| >=15.2.0-canary.0 <15.2.6 \|\| >=15.3.0-canary.0 <15.3.6 \|\| >=15.4.0-canary.0 <15.4.8 \|\| >=15.5.1-canary.0 <15.5.7 \|\| >=16.0.0-canary.0 <16.0.7	15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Description

Next.js is vulnerable to RCE in React flight protocol A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

react-server-dom-parcel

react-server-dom-turbopack

react-server-dom-webpack

Mitigation

• npm next: Upgrade to version(s) 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 or higher.

References

• GitHub Advisory Database

Severity v4.0

8.4

High

Fluid Attacks ID

FLAT-VX0Q0

CVE ID

CVE-2025-66478

CWE ID(s)

CWE-502

Alternative ID

GHSA-9qr9-h5gf-34mp

EPSS

N/A

Percentile

N/A

Source

GitHub Advisory Database

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.