CVE-2025-66478 scope?

[typenoob]

Summary

Hi I just noticed this CVE-2025-66478, and wonder if it would affect my application.

I'm using app router

Here is the dependencies:

  "dependencies": {
    "@headlessui/react": "^2.2.0",
    "@reduxjs/toolkit": "^2.3.0",
    "axios": "^1.7.8",
    "classnames": "^2.5.1",
    "html-react-parser": "^5.1.18",
    "i18next": "^23.16.5",
    "i18next-browser-languagedetector": "^8.0.0",
    "i18next-http-backend": "^2.6.2",
    "moment": "^2.30.1",
    "next": "15.0.3",
    "qrcode": "^1.5.4",
    "react": "19.0.0-rc-66855b96-20241106",
    "react-cookie": "^7.2.2",
    "react-dom": "19.0.0-rc-66855b96-20241106",
    "react-hook-form": "^7.53.2",
    "react-i18next": "^15.1.1",
    "react-redux": "^9.1.2",
    "redux-persist": "^6.0.0"
  },

Do I have a risk if I don't use these packages?

• react-server-dom-parcel（19.0.0、19.1.0、19.1.1 、19.2.0）

• react-server-dom-webpack（19.0.0、19.1.0、19.1.1 、19.2.0）

• react-server-dom-turbopack（19.0.0、19.1.0、19.1.1 、19.2.0）

Additional information

No response

Example

No response

[abhishekmardiya]

Yes, You’re using an affected version, and it includes several other vulnerabilities. You can check all of them by running npm audit.
You should also update your React version.
Upgrade Next.js to 15.0.5 and both react and react-dom to 19.0.1 for a safer setup.

Here are all the vulnerabilities currently affecting your packages:

Next.js – Denial of Service (DoS) via Server Actions
GHSA-7m27-7ghc-44w9

Information Exposure in Next.js Dev Server (Missing Origin Verification)
GHSA-3h52-269p-cp9r

Cache Key Confusion in Next.js Image Optimization API Routes
GHSA-g5qg-72qw-gw5v

Content Injection Vulnerability in Next.js Image Optimization
GHSA-xv57-4mr9-wg8v

Improper Middleware Redirect Handling Leading to SSRF in Next.js
GHSA-4342-x723-ch2f

Race Condition Leading to Cache Poisoning in Next.js
GHSA-qpjv-v59x-3qc4

Authorization Bypass in Next.js Middleware
GHSA-f82v-jwr5-mffw

Remote Code Execution (RCE) via React Flight Protocol in Next.js
GHSA-9qr9-h5gf-34mp

[typenoob]

Thank you so much for your detailed answer and guidance.

[PMudra]

I don't think the original question has been fully answered (at least not for me). Can somebody explain or point to the right docs how next.js bundles react and the react-server-dom-* packages internally? Why don't I have to update my direct react dependency to 19.2.1?

[icyJoseph]

• https://nextjs.org/docs#react-version-handling

Next.js internally syncs to React canary channel/version. Each update is done through an actual PR to Next.js where the React dependencies being consumed are compiled and vendored in, they pass all unit and e2e tests and are merged to canary, which then after some time is released, or back-ported into a older versions, whatever necessary.

[typenoob]

I also doubted with it before and therefore ask this.