In early December 2025, security dashboards lit up with alerts for CVE-2025-66478, a critical vulnerability seemingly targeting Next.js. The advisory pointed to a remote code execution (RCE) flaw, sending development and security teams scrambling. Yet, a closer look reveals a more complex reality—one that underscores the importance of precision in Software Composition Analysis (SCA).
Overview
CVE-2025-66478 was quickly marked “REJECTED” by the National Vulnerability Database (NVD). This did not mean the risk was gone. It meant the CVE was a duplicate of another entry, CVE-2025-55182. This administrative detail created confusion, but it also highlighted a critical lesson: understanding where a vulnerability truly resides is the key to effective remediation. The flaw originates in the React Server Component (RSC) runtimes, not in Next.js itself—though Next.js is affected because it bundles and executes those vulnerable RSC packages.
This situation is a perfect case study in the challenges of modern application security. To secure your software, you must look beyond surface-level alerts and analyze the entire dependency chain.
The Source of the Flaw: React Server Components
The vulnerability announced by the React team on December 3rd affects the core of how React Server Components (RSC) operate. Specifically, the flaw exists in the packages that execute server components and deserialize data from the client. An attacker could craft a malicious request that, when processed by a vulnerable server, leads to remote code execution.
The three primary affected packages are:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Any application using versions of these packages below 19.0.1 / 19.1.2 / 19.2.1 is exposed. Because Next.js is the most popular framework that bundles these RSC runtimes, it was listed as an “affected framework”—but it is not the root cause.
The Problem with Over-Broad Attribution in SCA
Software Composition Analysis is designed to identify and manage risk in open-source components. Its effectiveness depends on accuracy. When a vulnerability is incorrectly mapped to a high-level framework instead of the true source package, it creates a cascade of problems.
Imagine if every framework or library that uses a vulnerable package was assigned its own CVE. The result would be unmanageable. We would see alerts for Next.js, Vite, React Router, and countless other tools that happen to wrap the same vulnerable code. This “cascade mapping” leads to:
• Alert Fatigue: Developers are inundated with false positives for libraries they use but in a way that doesn’t expose the vulnerability. This noise makes it difficult to prioritize real threats.
• Incorrect Remediation: Teams might try to patch or reconfigure wrapper frameworks when the real solution is to update the underlying transitive dependency (the vulnerable react-server-dom-* package).
• Broken Best Practices: Industry-standard SCA follows the direct-dependency principle. You flag the exact package with the flaw—not every downstream consumer. Propagating findings to every wrapper without a clear import relationship degrades security data quality.
The rejection of CVE-2025-66478 in favor of CVE-2025-55182 reflects NVD’s commitment to this principle. The vulnerability exists in one place—the RSC runtime—and should be tracked as a single issue.
How Veracode Delivers Clarity
This incident demonstrates why a sophisticated approach to SCA is non-negotiable. At Veracode, we build our platform on the principle of precision. Our analysis goes beyond surface-level identifiers to provide an accurate, actionable software bill of materials (SBOM).
When CVE-2025-66478 was rejected, we analyzed why the reported Next.js vulnerability had been dismissed and how it was identified as a duplicate of CVE-2025-55182. Our review confirmed that the flaw did not originate in Next.js itself, but in the vulnerable RSC runtime components bundled within it.
Actionable Findings:
Instead of vague alerts about libraries or frameworks that merely depend on the RSC ecosystem—such as react-router, waku, @parcel/rsc, rwsdk, and others—developers see the actual transitive dependency that is vulnerable. This enables a fast, targeted fix, especially for frameworks like Next.js, which genuinely invoke the affected RSC runtime.
Reduced Noise:
By focusing on the actual source of the vulnerability, we eliminate the false positives that plague other tools. This allows your teams to direct their attention toward genuine, actionable risks.
Comprehensive Visibility:
Veracode SCA analyzes your entire dependency graph—including deeply nested transitive packages—ensuring you have a complete and accurate understanding of your software components.
Our goal is to empower you to fix flaws, not just find them. With clear and precise vulnerability data, your development teams can remediate issues quickly and efficiently—without disrupting their workflow.
Recommended Actions for Security and Development Teams
If your organization uses Next.js or other frameworks leveraging React Server Components, here are the immediate steps you should take to assess and mitigate your risk.
Inventory Your Dependencies:
Run a command to inspect your lock files for react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
npm ls react-server-dom-webpack
This shows which version you have and how it was pulled into your project.
Upgrade to a Patched Version:
If you find any of the three RSC packages with a version below 19.0.1 / 19.1.2 / 19.2.1, you must upgrade. Updating your primary dependencies—like Next.js—will typically pull in the patched RSC runtime. The vulnerability is fully resolved in patched Next.js releases including:
15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7,
which bundle the fixed RSC runtime versions.
Validate Your Transitive Dependencies:
After updating, run the inventory check again to confirm that the vulnerable packages have been successfully upgraded. Do not assume a top-level update fixed the underlying issue.
Refine Your SCA Tooling:
Ensure your SCA tool follows the direct-dependency principle. It should identify the true source package and consolidate duplicate CVEs. This improves the signal-to-noise ratio of your alerts.
Communicate with Stakeholders:
Clearly explain that the vulnerability originates in the React Server Component runtime, and that Next.js is affected because it bundles and invokes the vulnerable RSC deserializer. Emphasize that a “missing” CVE alert in tools like Veracode is often a sign of intelligent duplicate CVE handling, not a gap in coverage.
Beyond the CVE: A Lesson in Modern Security
The confusion around CVE-2025-66478 illustrates how complex modern supply chains have become. A surface-level approach to vulnerability management is no longer enough. You need deep visibility into your dependency graph and an SCA solution capable of distinguishing between a consumer and the source of a flaw.
By focusing on direct dependencies and providing precise, actionable intelligence, Veracode empowers you to build secure software without sacrificing speed. We cut through the noise so your teams can focus on fixing what’s broken and building what’s next.
