The Next.js security update isn’t a single patch—it’s a fast‑moving series of fixes tied to the React2Shell disclosure. If you run the App Router with React Server Components (RSC), treat this as a production incident. On December 11, 2025, the Next.js team shipped an advisory that adds two non‑RCE issues (source code exposure and a denial‑of‑service) on top of the earlier React2Shell chain. The practical takeaway: apply the Next.js security update now, verify your environment, and run a short, disciplined stabilization sprint.

Developer terminal applying Next.js security update in CI

The timeline and what actually changed

Here’s the thing: the story didn’t end with the initial React2Shell patch. The React team disclosed a critical RCE in the RSC protocol (CVE‑2025‑55182) on December 3, 2025, followed by Next.js tracking it downstream as CVE‑2025‑66478. A week later, on December 11, React and Next.js documented two additional RSC issues—one that could expose compiled server function code (CVE‑2025‑55183) and another that could hang servers (CVE‑2025‑55184). A complete fix for the DoS case shipped shortly after under CVE‑2025‑67779. None of those new issues are RCE, but they do meaningfully impact availability and confidentiality.

Practically, these fixes tighten how the RSC “Flight” payload is parsed and how server function responses are serialized. They also tighten guardrails around what can be returned (or leaked) when deserialization goes sideways. If your App Router endpoints parse RSC payloads, you’re in scope. Pages Router apps aren’t directly affected by the protocol issues, but upgrading keeps your tree consistent with framework‑level mitigations and testing.

Next.js security update: exact versions and commands

Use the patch matrix below to avoid guesswork. Stick to your current release line and upgrade to the listed version. If you’re on a canary, move to the specified canary build.

Install one of the following based on your line: [email protected] (for 13.3+ and all 14.x), [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]‑canary.60, or [email protected]‑canary.19. If you’re on next 13.3–13.5, jump to 14.2.35 as the supported landing zone.

Quick path:

npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]

For canaries:

npm install [email protected]‑canary.60
npm install [email protected]‑canary.19

There’s also a helper: npx fix‑react2shell‑next. It checks your installed graph and performs deterministic version bumps to the recommended builds. Use it in a disposable branch to see exactly what will change, then merge via your normal review process.

Are you affected if you don’t use Server Functions?

Maybe. The RSC protocol work happens beneath your app code in framework and bundler integrations. If your app supports React Server Components, the vulnerable parsing surface may still be present even if you haven’t authored explicit server functions. That’s why the vendor guidance is to update the framework packages regardless.

“We’re on the Pages Router—can we skip this?”

I wouldn’t. While Pages Router apps aren’t directly impacted by the RSC protocol quirks, staying on patched framework versions gives you security defaults tested against the active advisories. It also simplifies your later migration or mixed‑router codebases. Upgrading now is cheaper than doing it under pressure later.

What about managed mitigations—do CDNs or hosts cover us?

Rely on them for a safety net, not a shield. Hosting and CDN providers did roll out mitigations (for example, increasing request body inspection limits to catch hostile payloads), but you still need the Next.js security update in your own code. The safest posture is layered: patch your dependencies, then let your WAF/CDN add a second line of defense in case a new variant appears.

The 7‑day stabilization plan (use this)

Here’s a short, sane plan we’ve used with teams this week. Keep it boring. Keep it visible.

Day 0–1: Patch and pin

Update to the fixed Next.js version for your line and pin exact versions for react, react‑dom, and any react‑server‑dom‑* package. Regenerate lockfiles. Commit a dependency bill of materials (SBOM) to your repo or artifact store so you can prove what’s running.

Day 2: Prove it in pre‑prod

Replay 24 hours of production traffic into a staging environment with the patched build. Watch for error rate changes, response time deltas, and memory use. If you have synthetic checks for App Router endpoints, run them in a loop for an hour and compare to pre‑patch baselines.

Day 3: Log and alert for RSC anomalies

Add structured logging to your RSC endpoints: request size, content type, deserialization errors, and any server function invocations that return unexpected shapes. Alert on spikes or repeated parsing failures. Keep these logs for at least 30 days so you can backstop any retroactive investigations.

Day 4: Secrets and source exposure audit

Search your server functions for hardcoded secrets or values that could be inlined during bundling. Move anything sensitive into runtime environment variables and secret managers. Add snapshot tests to assert that compiled outputs don’t contain literal tokens.

Day 5: WAF/edge rules and safe limits

Set reasonable request body limits and rate limits on RSC endpoints. Add an allowlist for content types your app actually accepts. If your CDN or WAF can parse and score requests for known RSC exploit patterns, enable those managed rules but keep them in log‑only for an hour before switching to block.

Day 6: Regression suite for App Router

Build a small suite that exercises your server functions with benign and malformed payloads. You want proof that the patched runtime rejects nonsense cleanly and that your happy paths are intact. Run it in CI on every dependency bump.

Day 7: Post‑incident review and runbook

Write the page you wish you had last week: versions to install, commands to run, dashboards to watch, and the rollback switch. Then add automated dependency monitoring so these updates trigger a templated pull request with a one‑click path to staging.

Don’t repeat Cloudflare’s mistake: ship mitigations without going down

On December 5, 2025, Cloudflare briefly took a noticeable slice of the Internet offline while deploying mitigations related to the React2Shell fallout. The work was well‑intentioned—expanding body‑inspection limits to improve detection—but a global configuration change created a cascading failure and impacted roughly a quarter of traffic for about 25 minutes. The lesson isn’t “don’t harden quickly.” It’s “treat security config as code, with the same blast‑radius controls as software releases.”

Steal these controls for your own stack:

Progressive rollout for config. Stage by stage, weighted by traffic, with automatic halt conditions. A WAF rule or HTTP body limit should graduate the same way a binary does.

Guardrails for memory pressure. If you increase request inspection limits (for example from 128 KB to 1 MB), track per‑pod memory, GC frequency, and p99 latencies in the same dashboard. Put a circuit breaker in front of the change.

Immutable configs with fast rollback. Version security policies; pin them to releases; make rollbacks one click. Put an “is safe” annotation in your deployment pipeline that blocks full rollout until a canary holds steady for a fixed window.

If you want a deeper breakdown of how to ship mitigations without an outage, we wrote about the operational playbook here: Ship WAF Fixes Without Going Down.

Security mitigation rollout timeline and dashboards

How to verify your app is actually safe

Let’s get practical. After installing the Next.js security update, do three checks:

1) Dependency graph: ensure only the patched Next.js and RSC packages appear in your lockfile. No stray prereleases or stale minors.

2) Endpoint behavior: send deliberately malformed RSC payloads to your non‑prod App Router endpoints. You want explicit 4xx or 5xx responses without process hangs and without accidental object leakage in responses.

3) Telemetry deltas: compare error budgets, CPU, and memory for 24 hours before/after. Look for elevated deserialization failures or longer garbage collection cycles—signals that you might need to tune body limits or caching.

Common pitfalls we’re seeing this week

Leaving canaries behind. If you tested a canary during the initial scramble, make sure your production is on a canary that includes the follow‑up fixes—or better, return to the corresponding stable release.

Half‑patched mono‑repos. Update shared packages and internal tooling that bundle their own RSC plugins. Then run a monorepo‑wide lockfile refresh so every app consumes the same patched graph.

Silent exposure. Teams assume “we don’t return secrets” when unit tests only check happy paths. Add tests that call server functions out of contract and assert that responses don’t contain any compiled code snippets or environment tokens.

A pragmatic defense‑in‑depth checklist

– Patch framework and RSC packages to the specified versions in your release line.
– Pin versions; commit lockfiles; generate and store SBOMs per build.
– Add log fields for RSC payload size, parse errors, and server function return types; alert on anomalies.
– Put a memory/latency dashboard next to your WAF changes and body limits; enable circuit breakers.
– Run malformed payload tests against staging every day this week; keep the tests for future bumps.
– Move secrets and business‑critical constants out of code and into your runtime secrets store.
– Document the rollback path and practice it once while traffic is low.

Want a deeper dive on tactics?

We’ve published several pieces you can use right away. If you need the broader, post‑patch hygiene guide, start with React2Shell Aftercare: Verify, Detect, Harden. For a 30‑day program, see React Server Components Vulnerability: 30‑Day Plan. If you’re focused on Next.js specifically, use Next.js CVE‑2025‑66478: Patch, Prove, Harden. And for teams still triaging the December activity, we wrapped the latest steps here: React2Shell: Patch, Prove, Prevent (Dec 2025).

What to do next (today and this week)

For developers:
– Upgrade to the patched Next.js version for your line and rerun your build.
– Run traffic replay in staging and watch logs for RSC parse errors.
– Add regression tests for malformed payloads and code exposure.
– Tighten WAF rules in monitor mode, then switch to block after one hour of clean signal.

For engineering leaders and owners:
– Assign one DRI for the dependency bump and one for observability changes.
– Require a release plan with a canary gate; reject “all at once” rollouts.
– Ask for a one‑page runbook that lists versions, commands, dashboards, and rollback.
– Schedule a 30‑minute after‑action review; capture decisions in your playbook.

Zooming out: this is the new normal for modern frameworks. The RSC protocol is powerful—and with that power comes real risk when serialization, payload limits, or bundler behaviors drift. The good news is you can make this mundane: tighten the loop from advisory to upgrade to verification. Keep your patches boring, your rollouts gradual, and your telemetry loud. That’s how you ship quickly without waking up your incident channel at 3 a.m.

RSC protocol flow with WAF defense in depth

Next.js Security Update: What To Fix This Week

The timeline and what actually changed

Next.js security update: exact versions and commands

Are you affected if you don’t use Server Functions?

“We’re on the Pages Router—can we skip this?”

What about managed mitigations—do CDNs or hosts cover us?