Skip to content

[Security] CVE-2025-66478 Backport Contribution Guide & Tools #86790

New issue
New issue
Closed
Closed
[Security] CVE-2025-66478 Backport Contribution Guide & Tools#86790
Labels
invalid linkThe issue was auto-closed due to a missing/invalid reproduction link. A new issue should be opened.
@AryanVBW

Description

@AryanVBW
AryanVBW
opened on Dec 4, 2025

Summary

This issue provides comprehensive resources for contributors who want to help backport the critical CVE-2025-66478 security fix to older Next.js release lines.

Vulnerability Overview

Field Value
CVE ID CVE-2025-66478 (Next.js), CVE-2025-55182 (React)
Severity 🔴 CRITICAL (CVSS 10.0)
Impact Remote Code Execution (RCE)
Component React Server Components (FlightReplyServer)
Affected Next.js 15.x, 16.x with App Router

Affected Versions

Version Range Status
Next.js 13.x ✅ NOT Affected
Next.js 14.x stable ✅ NOT Affected
Next.js 14.3.0-canary.77+ ❌ Affected
Next.js 15.0.0 - 15.0.4 ❌ Affected
Next.js 15.1.0 - 15.1.8 ❌ Affected
Next.js 15.2.0 - 15.2.5 ❌ Affected
Next.js 15.3.0 - 15.3.5 ❌ Affected
Next.js 15.4.0 - 15.4.7 ❌ Affected
Next.js 15.5.0 - 15.5.6 ❌ Affected
Next.js 16.0.0 - 16.0.6 ❌ Affected

Patched Versions

Release Line Patched Version
15.0.x 15.0.5
15.1.x 15.1.9
15.2.x 15.2.6
15.3.x 15.3.6
15.4.x 15.4.8
15.5.x 15.5.7
16.0.x 16.0.7

Contribution Resources

1. Backport Script

Automates the backporting process:

# Dry run (preview changes)
node scripts/backport-cve-2025-66478.js --target-version 15.4.7 --dry-run

# Execute backport
node scripts/backport-cve-2025-66478.js --target-version 15.4.7

2. Vulnerability Scanner

Scan projects for vulnerable versions:

# Scan single project
node scripts/scan-cve-2025-66478.js package.json

# Scan multiple projects
node scripts/scan-cve-2025-66478.js --scan-dir ./my-projects

3. Documentation

Full backport guide: contributing/docs/CVE-2025-66478-backport-guide.md

How to Contribute

  1. Fork the repository
  2. Run the backport script for your target version
  3. Test the changes thoroughly
  4. Submit a PR to the appropriate release branch

Quick Upgrade Commands

npm install next@15.0.5   # for 15.0.x
npm install next@15.1.9   # for 15.1.x
npm install next@15.2.6   # for 15.2.x
npm install next@15.3.6   # for 15.3.x
npm install next@15.4.8   # for 15.4.x
npm install next@15.5.7   # for 15.5.x
npm install next@16.0.7   # for 16.0.x

# For 14.3.0-canary.77+, downgrade to stable:
npm install next@14

References

Related Files

  • scripts/backport-cve-2025-66478.js - Automated backport script
  • scripts/scan-cve-2025-66478.js - Vulnerability scanner
  • contributing/docs/CVE-2025-66478-backport-guide.md - Full documentation

⚠️ IMPORTANT: All users running affected versions should upgrade immediately. There is no configuration option to disable the vulnerable code path.

Activity

github-actions
closed this as completedon Dec 4, 2025
github-actions

github-actions commented on Dec 4, 2025

@github-actions
github-actionsbot
on Dec 4, 2025 – with GitHub Actions
Contributor

We could not detect a valid reproduction link. Make sure to follow the bug report template carefully.

Why was this issue closed?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We need a link to a public GitHub repository (template for App Router, template for Pages Router), but you can also use these templates: CodeSandbox: App Router or CodeSandbox: Pages Router.

The bug template that you filled out has a section called "Link to the code that reproduces this issue", which is where you should provide the link to the reproduction.

  • If you did not provide a link or the link you provided is not valid, we will close the issue.
  • If you provide a link to a private repository, we will close the issue.
  • If you provide a link to a repository but not in the correct section, we will close the issue.

What should I do?

Depending on the reason the issue was closed, you can do the following:

  • If you did not provide a link, please open a new issue with a link to a reproduction.
  • If you provided a link to a private repository, please open a new issue with a link to a public repository.
  • If you provided a link to a repository but not in the correct section, please open a new issue with a link to a reproduction in the correct section.

In general, assume that we should not go through a lengthy onboarding process at your company code only to be able to verify an issue.

My repository is private and cannot make it public

In most cases, a private repo will not be a sufficient minimal reproduction, as this codebase might contain a lot of unrelated parts that would make our investigation take longer. Please do not make it public. Instead, create a new repository using the templates above, adding the relevant code to reproduce the issue. Common things to look out for:

  • Remove any code that is not related to the issue. (pages, API routes, components, etc.)
  • Remove any dependencies that are not related to the issue.
  • Remove any third-party service that would require us to sign up for an account to reproduce the issue.
  • Remove any environment variables that are not related to the issue.
  • Remove private packages that we do not have access to.
  • If the issue is not related to a monorepo specifically, try to reproduce the issue without a complex monorepo setup

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps by opening a new issue.

I think my reproduction is good enough, why aren't you looking into it quickly?

We look into every Next.js issue and constantly monitor open issues for new comments.

However, sometimes we might miss one or two due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

github-actions
added
invalid linkThe issue was auto-closed due to a missing/invalid reproduction link. A new issue should be opened.
on Dec 4, 2025
github-actions
locked and limited conversation to collaborators on Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    invalid linkThe issue was auto-closed due to a missing/invalid reproduction link. A new issue should be opened.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @AryanVBW

        Issue actions