Skip to content

fix(security): update Next.js to 15.5.9 to address CVE-2025-66478 #743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fgatti675 merged 1 commit into from
Jan 7, 2026
Merged

fix(security): update Next.js to 15.5.9 to address CVE-2025-66478 #743

fgatti675 merged 1 commit into from
Jan 7, 2026

Conversation

@0xjgv
Copy link
Collaborator

@0xjgv 0xjgv commented Jan 6, 2026

Update Next.js from vulnerable versions to 15.5.9 to remediate the critical RCE vulnerability (CVSS 10.0) in React Server Components.

Affected packages:

  • examples/example_next: 15.5.6 → 15.5.9
  • packages/cli/templates/template_next_pro: 15.0.3 → 15.5.9

Also fixes @types/react version mismatch in template_next_pro (was 18.x with React 19, now correctly 19.x).

References:

@0xjgv
fix(security): update Next.js to 15.5.9 to address CVE-2025-66478
670dd18 
Update Next.js from vulnerable versions to 15.5.9 to remediate the
critical RCE vulnerability (CVSS 10.0) in React Server Components.

Affected packages:
- examples/example_next: 15.5.6 → 15.5.9
- packages/cli/templates/template_next_pro: 15.0.3 → 15.5.9

Also fixes @types/react version mismatch in template_next_pro
(was 18.x with React 19, now correctly 19.x).

References:
- https://nextjs.org/blog/CVE-2025-66478
- https://nvd.nist.gov/vuln/detail/CVE-2025-66478
@fgatti675 fgatti675 merged commit 986cc93 into main Jan 7, 2026
3 checks passed
@fgatti675
Copy link
Member

fgatti675 commented Jan 7, 2026

Thank you Juan!!

@0xjgv 0xjgv deleted the fix/cve-2025-66478-nextjs-security branch January 7, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fgatti675 fgatti675 Awaiting requested review from fgatti675

@marianmoldovan marianmoldovan Awaiting requested review from marianmoldovan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@0xjgv @fgatti675