Critical Security Vulnerability in Next.js Caused Server Abuse, Downtime, and Financial Damage

[MohammadRezaKiani]

Summary

Hello Next.js team,

I am opening this issue because the recent security vulnerability CVE-2025-66478 has directly caused severe damage to our infrastructure.

Due to this vulnerability, our production server was compromised and used to perform outbound UDP attacks without our knowledge. As a result:

Our dedicated server was suspended by the datacenter

All customer websites went offline

We lost access to our services for critical hours

We were forced to recover the system through a Live ISO environment

We suffered real financial loss and serious operational disruption

This incident happened specifically because of CVE-2025-66478 affecting our Next.js environment. We had no prior notice, no warnings, and the exploit was already being used in the wild before we could patch or mitigate it.

I kindly request:

A full and transparent technical report of this vulnerability

Clear details about the exploit chain and impact scope

Recommended hardening steps for affected production deployments

A statement or guidance for companies who experienced damages due to this vulnerability

This issue has caused significant harm to our business and clients.
We expect the team to handle this with urgency and responsibility.

Thank you.

Additional information

No response

Example

No response

[icyJoseph]

The vulnerability originates, as per https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components, in react libraries:

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

In App Router, Next.js manages your React packages for you, https://nextjs.org/docs#react-version-handling, so to patch the vulnerabilities above, a Next.js update is necessary.

• Blog post with disclosure: https://nextjs.org/blog/CVE-2025-66478
• Security advisory: GHSA-9qr9-h5gf-34mp
• CVE: https://www.cve.org/CVERecord?id=CVE-2025-55182
• Required Action: https://nextjs.org/blog/CVE-2025-66478#required-action
  • Includes versions to upgrade to - includes all of the 15 range stable versions, as well as version 16
  • Includes https://www.npmjs.com/package/fix-react2shell-next a CLI to one shot fixes
• We also have various patches for those who need to stay in a canary, [Updated] Security Advisory: CVE-2025-66478 and 2 more #86813 but that's likely not your case
• We have a patched canary for those who want to use PPR in canary

Last but not least, Vercel's security bulletin: https://vercel.com/kb/bulletin/react2shell with even more info.