1. Home
  2. Vulnerabilities
  3. CVE-2025-66478
0.0
NA
CVE-2025-66478
Apache Struts Remote Code Execution Vulnerability
Description

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

INFO

Published Date :

Dec. 3, 2025, 6:15 p.m.

Last Modified :

Dec. 3, 2025, 6:15 p.m.

Remotely Exploit :

No

Source :

[email protected]
Affected Products

The following products are affected by CVE-2025-66478 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Vercel next.js
: Total Affected Vendor : 1 | Products : 1
Solution
Apply security patches and updates from the vendor to fix the vulnerability.
  • Apply vendor security patches.
  • Update the affected software.
  • Review system configurations.
Public PoC/Exploit Available at Github

CVE-2025-66478 has a 20 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
jctommasi/react2shellVulnApp

Deliberately vulnerable banking app for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) to learn, detect, and safely exercise React2Shell. Runs unpatched React 19.0.0 and Next.js 15.0.3.

Dockerfile TypeScript CSS JavaScript

Updated: 4 hours, 46 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 3:43 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
CymulateResearch/React2Shell-Scanner

React2Shell Scanner (CVE-2025-55182 & CVE-2025-66478)

Python

Updated: 6 hours, 37 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 1:47 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478

A command-line scanner for batch detection of Next.js application versions and determining if they are affected by CVE-2025-66478 vulnerability.

Go

Updated: 7 hours ago
0 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 1:13 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
Security-Phoenix-demo/freight-night-rce-react-next-CVE-2025-55182-CVE-2025-66478

Scanner for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) - Track and remediate a critical React Server Components (RSC) / Flight protocol vulnerability campaign impacting react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, and RSC-enabled frameworks like Next.js.

Python Shell

Updated: 5 hours, 43 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 12:22 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
ivaavimusic/React19-fix-vibecoders

CVE-2025-55182 Fix for Vibe Coders

Updated: 8 hours, 39 minutes ago
1 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 11:51 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
wangxso/CVE-2025-66478-POC

CVE-2025-66478 Proof of Concept

JavaScript

Updated: 12 hours, 46 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 7:44 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
assetnote/react2shell-scanner

High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)

Python

Updated: 4 hours, 37 minutes ago
62 stars 8 fork 8 watcher
Born at : Dec. 4, 2025, 6:55 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
v1xingyue/npm-checker

A CLI tool to audit npm projects for vulnerable package versions

TypeScript JavaScript

Updated: 13 hours, 20 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 6:54 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
joshterrill/CVE-2025-55182-realistic-poc

a realistic POC demonstrating the missing `hasOwnProperty` check in [email protected]

JavaScript

Updated: 17 hours ago
0 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 3:28 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
songsanggggg/CVE-2025-55182

CVE-2025-55182 漏洞利用GUI,PoC / Exploit for CVE-2025-55182 & CVE-2025-66478

JavaScript Go Dockerfile

Updated: 18 hours, 26 minutes ago
0 stars 5 fork 5 watcher
Born at : Dec. 4, 2025, 2:05 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
heiheishushu/rsc_detect_CVE-2025-55182

For CVE-2025-55182 and CVE-2025-66478 Security Response

Python

Updated: 10 hours, 21 minutes ago
7 stars 1 fork 1 watcher
Born at : Dec. 4, 2025, 2 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
xkillbit/cve-2025-55182-scanner

None

Python

Updated: 13 hours, 25 minutes ago
1 stars 0 fork 0 watcher
Born at : Dec. 4, 2025, 12:58 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
santihabib/CVE-2025-55182-analysis

None

Updated: 4 hours, 37 minutes ago
3 stars 0 fork 0 watcher
Born at : Dec. 3, 2025, 10:44 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
ejpir/CVE-2025-55182-research

CVE-2025-55182 POC

JavaScript

Updated: 4 hours, 41 minutes ago
543 stars 162 fork 162 watcher
Born at : Dec. 3, 2025, 9:16 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
abtonc/next-cve-2025-66478

None

Shell

Updated: 6 hours, 40 minutes ago
8 stars 1 fork 1 watcher
Born at : Dec. 3, 2025, 6:38 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-66478 vulnerability anywhere in the article.

  • BleepingComputer
Critical React, Next.js flaw lets hackers execute code on servers

A maximum severity vulnerability, dubbed 'React2Shell', in the React Server Components (RSC) 'Flight' protocol allows remote code execution without authentication in React and Next.js applications. Th ... Read more

Published Date: Dec 04, 2025 (5 hours, 20 minutes ago)
  • Help Net Security
Max-severity vulnerability in React, Node.js patched, update ASAP (CVE-2025-55182)

A critical vulnerability (CVE-2025-55182) in React Server Components (RSC) may allow unauthenticated attackers to achieve remote code exection on the application server, the React development team war ... Read more

Published Date: Dec 04, 2025 (8 hours, 8 minutes ago)
  • CybersecurityNews
Critical React and Next.js Enables Remote Attackers to Execute Malicious Code

A critical security flaw in React and Next.js could let remote attackers run malicious code on servers without logging in. The issue affects React Server Components (RSC) and the “Flight” protocol use ... Read more

Published Date: Dec 04, 2025 (14 hours, 40 minutes ago)
  • Daily CyberSecurity
Maximum Severity Alert: Critical RCE Flaw Hits Next.js (CVE-2025-66478, CVSS 10.0)

Developers using the modern stack of Next.js and React are facing a “red alert” situation today. A maximum-severity security flaw has been uncovered in the React Server Components (RSC) protocol, putt ... Read more

Published Date: Dec 04, 2025 (17 hours, 49 minutes ago)
  • Daily CyberSecurity
Critical WordPress Flaw (CVE-2025-6389) Under Active Exploitation Allows Unauthenticated RCE

A critical Remote Code Execution (RCE) vulnerability has been discovered in the Sneeit Framework, a core plugin bundled with multiple premium themes. While the patch was quietly released in August, th ... Read more

Published Date: Dec 04, 2025 (18 hours, 8 minutes ago)
  • Ars Technica
Maximum-severity vulnerability threatens 6% of all websites

“I usually don’t say this, but patch right freakin’ now,” one researcher wrote. “The React CVE listing (CVE-2025-55182) is a perfect 10.” React versions 19.0.1, 19.1.2, or 19.2.1 contain the vulnerabl ... Read more

Published Date: Dec 03, 2025 (21 hours, 15 minutes ago)
  • The Hacker News
Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

Dec 03, 2025Ravie LakshmananVulnerability / Cloud Security A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remot ... Read more

Published Date: Dec 03, 2025 (1 day, 2 hours ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-66478 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Rejected by [email protected]

    Dec. 03, 2025

    Action Type Old Value New Value
  • New CVE Received by [email protected]

    Dec. 03, 2025

    Action Type Old Value New Value
    Added Description Rejected reason: This CVE is a duplicate of CVE-2025-55182.
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.