New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[PSA] React / NextJS Critical RCE Vulnerability (CVE-2025-66478) - Update your React Apps
Posting this as a PSA to anyone running Next.JS apps: https://nextjs.org/blog/CVE-2025-66478
There is an unauthenticated remote code execution vulnerability in basically every modern version of Next.JS. If you're running a server sided React app, there is a good chance it's using NextJS, and will be vulnerable to this. There are public POCs that are already being scanned for and exploited in the wild.
To be clear: This only affects server-side Next.js apps. Static sites and standard client-side React apps are not affected.
Make sure you double check any React apps you have running!
Comments
I have used Umami v2.19.0 till today. Got a notification about high CPU usage and checked the logs, someone uploaded a script named "sex.sh" into the umami docker container and started shitty crypto miner.
I think we'll see a lot of that in the coming weeks.
wow, thanks for this notice because i had a personal hobby project and just by curiosity i entered to see the vps and it was f*cked by this vulnerability, the attacker installed a crypto miner and i was lucky to stop the vps to prevent it from being suspended/terminated. Time to nuke the whole vps, update nextjs and upload safe backups.
me too, i exec the container, check the usage, there is contact.txt file
rondo2012 [@]atomicmail.io, and attacker installed crypto miner, botnet rondodox.top:
lucky us, we are running latest version
Glad it helped someone!
Just what I wanted to do on a Saturday afternoon: respond to support tickets from people who have absolutely no idea what's going on, but are certain we're the bad guys in the situation.
A guy installed 4thepool miner in my free oracle chicken using a digitalocean vm (reported the ip to digitalocean already). But it seems he didnt touch anything else (I hope so). Luckily I use docker for my other next.js projects.
Another Vulnerability appeared btw. Update ur react & next.js apps. Check these:
https://nextjs.org/blog/security-update-2025-12-11
https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Daymm it’s one after another. Thanks for the heads up.
This is a really, really bad one. The ease of exploitation and impact are both about as bad as it gets, and there's also quite a few working PoCs for this exploit on Github so it's very accessible.
GreyNoise, (a threat intelligence company that monitors internet activity), have been reporting exponential growth in attacks so it looks like it's probably one of the most popular attack vectors for bots at the moment.
If you have an affected app that is visible to the internet then you should assume that you've already been compromised at this point.
Obviously update as soon as possible, but ideally you should just reinstall the OS from scratch and then redeploy the app to be on the safe side.