A critical severity Remote Code Execution (RCE) vulnerability affecting Next.js applications that use the App Router has been identified. This vulnerability is rated CVSS 10.0, disclosed as CVE-2025-66478 and allows remote code execution (RCE) when attacker-controlled requests are processed in unpatched environments. It stems from an upstream vulnerability in the React Server Components (RSC) protocol (CVE-2025-55182) affecting React 19 as well as frameworks and bundlers that use the RSC protocol. These frameworks include React Router (RSC mode), Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, and Waku.
In this blog post, we explain how Wazuh helps you identify potential exposure to this vulnerability and strengthen your defensive posture.
Vulnerable versions
At the time of writing, any user or organization running the following versions of Next.js and React is exposed to this vulnerability.
Affected Next.js versions
The vulnerability affects applications that use RSCs with the App Router, running on:
- Next.js 15.x
- Next.js 16.x
- Next.js 14.3.0-canary.77 and later canary releases
Affected React versions
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages:
Note
Your application may still be vulnerable if it supports RSC, even if it does not implement any of the React Server Functions listed.
Impact of the vulnerability
Applications using affected versions of the RSC protocol can process untrusted input, allowing an unauthenticated attacker to perform RCE. An attacker who can send crafted, malicious RSC requests to a vulnerable application may execute arbitrary code on the server. This action grants the attacker the ability to run commands, deploy payloads, or take full control of the system. Successful exploitation can lead to data exposure, supply-chain attacks, service disruption, and lateral movement within the network.
Infrastructure
We use a lab environment with the following infrastructure to write this blog post and raise awareness about the vulnerabilities.
- A pre-built, ready-to-use Wazuh OVA 4.14.1, which includes the Wazuh server, indexer, and dashboard.
- An Ubuntu 24.04 endpoint with Wazuh agent 4.14.1 installed and enrolled in the Wazuh server. This endpoint is monitored for vulnerabilities.
- A Kali Linux endpoint to exploit the CVE-2025-66478 RCE vulnerability on the Ubuntu endpoint.
Wazuh vulnerability detection
Wazuh provides a CTI service that delivers information about vulnerabilities, along with modules capable of managing software package inventories and detecting vulnerabilities in installed packages or operating systems. These modules are the Syscollector and Vulnerability Detection modules.
Wazuh Cyber Threat Intelligence (CTI)
The Wazuh Cyber Threat Intelligence (CTI) service provides real-time vulnerability information by aggregating known vulnerabilities from trusted external sources. Wazuh matches installed software against information from the Wazuh CTI to detect vulnerable packages. For each detected vulnerability, Wazuh dynamically generates a CTI reference using its Common Vulnerabilities and Exposures (CVE) ID, in this case CVE-2025-66478. For further analysis, you can access detailed information about the vulnerability, including its description, affected operating systems and software versions, severity ratings, and external references.
IT Hygiene
The Wazuh Syscollector module periodically scans a monitored endpoint to collect system inventory information. This information includes hardware, operating system, installed software, network interfaces, ports, running processes, browser extensions, services, users, and group data. This system inventory data is then displayed in the IT Hygiene section of the Wazuh dashboard
The Wazuh dashboard image below shows the vulnerable Next.js 16.0.2 package found on the monitored Ubuntu endpoint using the filter – package.name: is next.
Note
Support for scanning npm packages is limited to the default installation paths.
Detecting the vulnerable Next.js package
The Wazuh Vulnerability Detection module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoints. It generates alerts on the Wazuh dashboard if the vulnerable package Next.js is found on the monitored Ubuntu endpoint.
Perform the following steps on the Wazuh dashboard to view the detected vulnerability associated with CVE-2025-66478.
- Navigate to the Vulnerability Detection page.
- Enter the query,
CVE-2025-66478in the search bar to filter for the Next.js vulnerability. - Switch to the Inventory tab to view the vulnerability alerts.
- Click on the vulnerability alert to view more information.
- Click on the vulnerability.scanner.reference field of the alert to view detailed information about the vulnerability on the Wazuh CTI.
The result below shows that the version of Next.js found on the monitored Ubuntu endpoint is vulnerable.
Detecting the exploitation of the vulnerability
This section explains how to set up the Wazuh agent to monitor the Ubuntu endpoint and how to detect the exploitation of the vulnerability. Additionally, the Kali Linux endpoint is used to test the PoC exploit.
Ubuntu endpoint
We configure the Wazuh agent to capture Auditd logs and send them to the Wazuh server to detect the exploitation of the vulnerability on the Ubuntu endpoint.
Monitoring with the Wazuh agent
Wazuh uses the Linux Audit system to monitor system calls on Linux endpoints. Perform the following steps to install Auditd and configure the Wazuh agent to monitor all commands run by a privileged user.
- Install, start, and enable Auditd if it’s not present on the endpoint:
# sudo apt -y install auditd # sudo systemctl start auditd # sudo systemctl enable auditd
- Execute the following commands to append audit rules to the
/etc/audit/audit.rulesfile:
# echo "-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b32 -S execve -k audit-wazuh-c" >> /etc/audit/audit.rules # echo "-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b64 -S execve -k audit-wazuh-c" >> /etc/audit/audit.rules
- Reload the rules and confirm that they are in place:
# sudo auditctl -R /etc/audit/audit.rules # sudo auditctl -l
-a always,exit -F arch=b32 -S execve -F auid=1000 -F egid!=994 -F auid!=-1 -F key=audit-wazuh-c -a always,exit -F arch=b64 -S execve -F auid=1000 -F egid!=994 -F auid!=-1 -F key=audit-wazuh-c
- Append the following configuration to the Wazuh agent
/var/ossec/etc/ossec.conffile. This allows the Wazuh agent to read the auditd logs file:
<ossec_config>
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
</ossec_config>
- Restart the Wazuh agent to apply the configuration changes:
# systemctl restart wazuh-agent
Setting up the PoC exploit
Perform the following steps to set up the PoC exploit.
- Install Node and npm:
# apt update # apt install nodejs npm -y
- Clone the CVE-2025-55182 PoC exploit repository. This PoC can also be used to exploit CVE-2025-66478 because the Next.js vulnerability stems from the same underlying flaw in the React Server Components protocol.
# git clone https://github.com/msanft/CVE-2025-55182.git
- Switch directory to
CVE-2025-55182/test-server/and install the application dependencies. These dependencies includenext 16.0.6, which is vulnerable. You can test with another vulnerable version.
# cd CVE-2025-55182/test-server/ # npm install
- Build and start the vulnerable application. The application runs on port
3000:
# npm run build # npm start
- Create a sample file
exploitin the/etcdirectory and add the following content to validate the exploitation:
Next.js CVE-2025-66478 RCE vulnerability has been exploited!!
Kali endpoint
Perform the following steps to exploit the vulnerability.
- Clone the CVE-2025-55182 PoC exploit and switch to the directory:
# git clone https://github.com/msanft/CVE-2025-55182.git # cd CVE-2025-55182
- Run the command below to exploit the vulnerability and read the content of
/etc/exploiton the Ubuntu endpoint. Replace<UBUNTU_IP_ADDRESS>with the IP address of the Ubuntu endpoint.
# python3 poc.py http://<UBUNTU_IP_ADDRESS>:3000 "cat /etc/exploit"
500
0:{"a":"$@1","f":"","b":"zqLTw2ScJ62EAKh1ytZn9"}
1:E{"digest":"Next.js CVE-2025-66478 RCE vulnerability has been exploited!!"}
You can also see the current user running on the compromised Ubuntu endpoint with the following command. Replace <UBUNTU_IP_ADDRESS> with the IP address of the Ubuntu endpoint.
# python3 poc.py http://<UBUNTU_IP_ADDRESS>:3000 "uname -a"
500
0:{"a":"$@1","f":"","b":"zqLTw2ScJ62EAKh1ytZn9"}
1:E{"digest":"Linux Ubuntu24 6.8.0-86-generic #87-Ubuntu SMP PREEMPT_DYNAMIC Mon Sep 22 18:03:36 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux"}
From the outputs, we can see that the Next.js CVE-2025-66478 RCE vulnerability has been exploited successfully.
Wazuh dashboard
Follow the steps below to view the alerts generated on the Wazuh dashboard.
1. Navigate to Threat intelligence > Threat Hunting and click the Events tab.
2. Search rule.groups: audit and click Update.
The figures below show the related alerts on the Wazuh dashboard.
Click the Inspect document details button at the far left of the alerts to view the details.
From the alert details of the uname -a command shown above, we can see that it was executed from the /home/vagrant/CVE-2025-55182/test-server directory. This directory contains the test Next.js application running on the monitored Ubuntu endpoint. Executing system commands from the Next.js application directory can indicate RCE activity.
Mitigation
To reduce exposure to this vulnerability and prevent potential RCE attacks, apply the following mitigation steps to the affected applications.
Next.js
Upgrade all vulnerable packages to the latest patched version in their release line:
$ npm install next@15.0.5 // for 15.0.x $ npm install next@15.1.9 // for 15.1.x $ npm install next@15.2.6 // for 15.2.x $ npm install next@15.3.6 // for 15.3.x $ npm install next@15.4.8 // for 15.4.x $ npm install next@15.5.7 // for 15.5.x $ npm install next@16.0.7 // for 16.0.x
If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
$ npm install next@14
React
Upgrade to any of the fixed versions of React, including 19.0.1, 19.1.2, and 19.2.1.
Wazuh dashboard
Perform the following steps on the Wazuh dashboard to verify that the vulnerability has been resolved.
- Navigate to the Vulnerability Detection > Events tab.
- In the search bar, add the query
CVE-2025-66478. - The vulnerability status is updated from
ActivetoSolvedwhen the patch is applied.
Conclusion
Wazuh helps organizations identify exposure to the Next.js CVE-2025-66478 RCE vulnerability by detecting vulnerable package versions using its Vulnerability Detection module. When the Wazuh Syscollector module scans the monitored endpoint, it reports the affected versions of Next.js and RSCs, flagging them as vulnerable using the Wazuh CTI feed. This information provides valuable insights to security teams to update or patch vulnerable systems.
Wazuh continuously protects your IT infrastructure by monitoring software versions, identifying configuration weaknesses, and generating actionable alerts. This proactive approach helps you remediate risks before they can be exploited.