高危漏洞
CVE-2025-66478
bash
$ npx fix-react2shell-next
Need to install the following packages:
fix-react2shell-next@1.1.4
Ok to proceed? (y) y
fix-react2shell-next - Next.js vulnerability scanner
Checking for 4 known vulnerabilities:
- CVE-2025-66478 (critical): Remote code execution via crafted RSC payload
- CVE-2025-55184 (high): DoS via malicious HTTP request causing server to hang and consume CPU
- CVE-2025-55183 (medium): Compiled Server Action source code can be exposed via malicious request
- CVE-2025-67779 (high): Incomplete fix for CVE-2025-55184 DoS via malicious RSC payload causing infinite loop
Found 1 package.json file(s)
Found 1 vulnerable file(s):
package.json
next: 15.3.2 -> 15.3.8 [CVE-2025-66478, CVE-2025-55184, CVE-2025-55183, CVE-2025-67779]
Apply fixes? [Y/n]
Applying fixes...
Updated package.json
Installing dependencies...
. (pnpm)
$ pnpm install
╭───────────────────────────────────────────────────────────────────╮
│ │
│ Update available! 9.1.3 → 10.26.0. │
│ Changelog: https://github.com/pnpm/pnpm/releases/tag/v10.26.0 │
│ Run "pnpm add -g pnpm" to update. │
│ │
│ Follow @pnpmjs for updates: https://twitter.com/pnpmjs │
│ │
╰───────────────────────────────────────────────────────────────────╯
WARN deprecated @types/bcryptjs@3.0.0: This is a stub types definition. bcryptjs provides its own type definitions, so you do not need this installed.
WARN deprecated @types/cookie@1.0.0: This is a stub types definition. cookie provides its own type definitions, so you do not need this installed.
Downloading next@15.3.8: 27.92 MB/27.92 MB, done
WARN 3 deprecated subdependencies found: har-validator@5.1.5, request@2.88.2, uuid@3.4.0
Downloading @next/swc-win32-x64-msvc@15.3.5: 47.33 MB/47.33 MB, done
Packages: +3 -3
+++---
Progress: resolved 506, reused 461, downloaded 3, added 3, done
dependencies:
- next 15.3.2
+ next 15.3.8 (16.0.10 is available)
Done in 21.8s
Patches applied!