How to Fix the React Server Components Vulnerability in Next.js (CVE-2025-55182 / CVE-2025-66478)

Updated 17 hours ago
Vulnerabilities have been identified in React Server Components (CVE-2025-55182) and in frameworks like Next.js (CVE-2025-66478), affecting React 19. This vulnerability affects Next.js 15.x and 16.0.x using React Server Components on your VPS.
Next.js versions with security fixes: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.
React versions with security fixes: 19.0.1+, 19.2.0+
Important: This is a critical vulnerability with active exploitation expected. All Next.js users running versions 15.x or 16.0.x should update immediately to protect their applications from potential vulnerabilities.

How to Update Next.js

Option 1: Automatic Upgrade Command

The easiest way to update Next.js is to use the official upgrade command:

npx @next/codemod upgrade latest

This command automatically:

  • Updates next.config.js with new turbopack configuration
  • Migrates from next lint to the ESLint CLI
  • Migrates deprecated middleware to the new proxy-based middleware system
  • Removes unstable_ prefix from stabilized APIs
  • Removes experimental_ppr Route Segment Config

Option 2: Manual Package Update

If you prefer manual control, install the latest versions directly using your package manager:

Using npm:

npm i next@latest react@latest react-dom@latest eslint-config-next@latest

Using pnpm:

pnpm i next@latest react@latest react-dom@latest eslint-config-next@latest

Using Yarn:

yarn add next@latest react@latest react-dom@latest eslint-config-next@latest

Using Bun:

bun add next@latest react@latest react-dom@latest eslint-config-next@latest

Important for TypeScript users: Ensure you also upgrade @types/react and @types/react-dom to their latest versions.

Updating to Specific Patched Versions

To update to a specific patched version based on your current Next.js release line:

npm install next@15.0.5 # for 15.0.x users
npm install next@15.1.9 # for 15.1.x users
npm install next@15.2.6 # for 15.2.x users
npm install next@15.3.6 # for 15.3.x users
npm install next@15.4.8 # for 15.4.x users
npm install next@15.5.7 # for 15.5.x users
npm install next@16.0.7 # for 16.0.x users

For React Router Users

If you’re using React Router’s unstable RSC APIs, upgrade the following dependencies:

npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest

Verifying Your Update

After updating, verify your installation by checking the versions:

npm list next react react-dom

Ensure all packages are updated to the patched versions listed above.

Additional safety measures

Once the package is upgraded, make sure to perform cleanup in your VPS server.  Detailed steps can be found What to Do if Your VPS Has Been Hacked at Hostinger?

Additional Resources

How to Secure Your VPS from Abusive Activity