Critical vulnerability found in nextjs 15 and 16

A critical vulnerability (CVE-2025-66478) in the React Server Components protocol has been identified, allowing remote code execution in unpatched environments. Affected are Next.js versions 15.x, 16.x, and 14.3.0-canary.77 and later. Users should upgrade to the latest patched versions (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7) to resolve the issue. The vulnerability was discovered and responsibly disclosed by Lachlan Davidson.