[Security Advisory] Next.js CVE-2025-66478 — Stable Version Recommendations for Next.js, React, and Node.js

[livingspark108]

Summary

Hi team 👋,

I came across the recent security advisory related to CVE-2025-66478, which is reported to affect certain versions of Next.js, especially around releases in the 16.x line.

Before proceeding with upgrades in production, I want to confirm the current recommended and stable versions for:

Next.js

React

Node.js

This discussion aims to clarify:

🔐 1. Security Advisory Context

According to multiple posts and community reports, Next.js versions around 16.0.x may trigger deployment failures due to security checks (notably React Server Component risks and route handling vulnerabilities).

I'd like to verify:

Which specific versions are impacted by CVE-2025-66478

Whether patch releases are already available

If the advisory affects both Pages Router and App Router projects

📌 2. Stable Version Requests

Could you please provide guidance on the recommended stable releases to use in December 2025?

Specifically:

✔ Next.js (Stable)

Current Long-Term Stability

Latest patch versions free from CVE-2025-66478

✔ React (Stable)

Server Components recommended version

Known vulnerabilities related to CVE-2025-55182

✔ Node.js (Stable)

Minimum supported version for modern Next.js SSR deployments

Whether 18.x or 20.x is recommended for production in 2025

Additional information

📝 3. Questions

Please help clarify:

What is the safest stable Next.js version to use right now?

What React version is recommended to avoid RSC vulnerability (CVE-2025-55182)?

What Node version should be used with current stable Next.js to avoid build failures and SSR crashes?

Are there LTS / long-term support recommendations for enterprise production deployments?

🧩 4. Expected Outcomes

Official recommended versions for production deployment

Any migration notes or breaking changes

Suggested package.json configuration

Links to official security patch releases or advisory statements

Thanks in advance for any guidance or clarification. 🙏
Happy to provide additional logs, package.json versions, or reproduction steps if needed.

Example

No response

[icyJoseph]

Please refer to our official communication: https://nextjs.org/blog/CVE-2025-66478

For visibility sake:

Affected Next.js Versions

Applications using React Server Components with the App Router are affected when running:

• Next.js 15.x
• Next.js 16.x
• Next.js 14.3.0-canary.77 and later canary releases
• Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected.

Fixed Versions

The vulnerability is fully resolved in the following patched Next.js releases:

• 15.0.5
• 15.1.9
• 15.2.6
• 15.3.6
• 15.4.8
• 15.5.7
• 16.0.7

We also released patched canary releases for Next.js 15 and 16:

• 15.6.0-canary.58 (for 15.x canary releases)
• 16.1.0-canary.12 (for 16.x canary releases)

These versions include the hardened React Server Components implementation.