React vulnerability (CVE-2025-66478): How we responded and what you should do

This week, a new critical security vulnerability (CVE-2025-66478) affecting React-based front-end projects made the news. The issue allows for server-side code execution, a worst-case scenario for any application running React with SSR (Server Side Rendering). As a development agency that extensively works with React and Next.js, MarsBased immediately activated our internal security protocols to safeguard all active client projects.

As soon as the vulnerability was confirmed, our team carried out a full review of the projects currently in development and prepared production deployments to apply the available fixes. In parallel, we reached out to former clients who don’t currently have an active maintenance contract with us, informing them of the issue and coordinating with them to deliver a response and a hotfix.

As is common in situations like this, patches were released quickly for all minor versions of both Next.js and React, the two affected platforms:

Official Next.js advisory:

https://nextjs.org/blog/CVE-2025-66478

Official React advisory:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Applying the update is straightforward, fully backwards-compatible, and should not introduce breaking changes or unexpected bugs. In other words, the solution is simple, and the sooner you apply it, the better.

We also received notifications from several CDNs and hosting providers we use at MarsBased, letting us know that they have proactively implemented their own protective measures to mitigate potential attacks. Nonetheless, we are giving priority to clients running their own infrastructure, as they will not automatically benefit from provider-level mitigations like those from Railway, Render, Cloudflare, or Fastly.

Understanding the CVSS score behind this incident

This security incident comes with a CVSS score of 10, the highest possible rating under the Common Vulnerability Scoring System, the industry standard for assessing the severity of security flaws.

A score of 10 means:

• It can be exploited remotely.
• No authentication is required.
• No user interaction is needed.
• Confidentiality, integrity, and availability can all be compromised.
• Exploitation is trivial.
• Immediate remediation is required.
• Because of this extreme score, we gave the issue the highest priority across the organisation.

Staying protected

Keeping project dependencies up to date is always a good practice to prevent vulnerabilities like this from becoming a threat. But staying informed is just as important. While subscribing to general security alert channels can be helpful, they also tend to generate a lot of noise and may overwhelm teams that don’t have dedicated security staff.

Our recommendation is to follow the official blogs or newsletters of the frameworks and technologies you use most. These sources provide clearer, more relevant information with far less noise. In our case, that means keeping an eye on updates from React, Next.js, Ruby on Rails, and FastAPI.

Security incidents like this one serve as a reminder that strong, proactive monitoring is just as important as clean, well-structured code.

If you need help assessing the impact of this vulnerability on your project or want to set up a maintenance plan that keeps your applications secure, we’re here to help.