Skip to content

fix(security): patch CVE-2025-66478 Next.js RCE vulnerability #736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
seratch merged 1 commit into from
Dec 8, 2025
Merged

fix(security): patch CVE-2025-66478 Next.js RCE vulnerability #736

seratch merged 1 commit into from
Dec 8, 2025

Conversation

@ben-vargas
Copy link
Contributor

@ben-vargas ben-vargas commented Dec 7, 2025

Summary

  • Bump Next.js from 15.4.7 to 15.4.8 in example projects to address critical (CVSS 10.0) remote code execution vulnerability

Details

CVE-2025-66478 is a critical RCE vulnerability in Next.js App Router affecting versions 15.x < 15.4.8. The vulnerability exists in the React Server Components Flight protocol, allowing unauthenticated remote code execution via prototype pollution in the requireModule function.

Affected examples:

  • examples/nextjs
  • examples/realtime-next

Changes:

  • Updated next dependency from 15.4.715.4.8
  • Regenerated pnpm-lock.yaml

References

Test plan

  • pnpm install completes successfully
  • pnpm build passes for affected examples
  • Examples run correctly with patched Next.js version

@changeset-bot
Copy link

changeset-bot bot commented Dec 7, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: ca52624

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@ben-vargas
fix(security): patch CVE-2025-66478 Next.js RCE vulnerability
ca52624 
Bump Next.js from 15.4.7 to 15.4.8 in example projects to address
critical (CVSS 10.0) remote code execution vulnerability in React
Server Components via prototype pollution.

Affected examples:
- examples/nextjs
- examples/realtime-next

References:
- https://nextjs.org/blog/CVE-2025-66478
- https://nvd.nist.gov/vuln/detail/CVE-2025-66478
@ben-vargas ben-vargas force-pushed the chore-next-js-cve-patch branch from 2d540ee to ca52624 Compare December 7, 2025 19:15
@ben-vargas ben-vargas marked this pull request as ready for review December 7, 2025 19:16
@seratch seratch added documentation Improvements or additions to documentation dependencies Pull requests that update a dependency file labels Dec 8, 2025
seratch
seratch approved these changes Dec 8, 2025
View reviewed changes
Copy link
Member

@seratch seratch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much!

@seratch seratch enabled auto-merge (squash) December 8, 2025 00:32
@seratch seratch merged commit 1833414 into openai:main Dec 8, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seratch seratch seratch approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ben-vargas @seratch