WordPress VIP is aware of recently disclosed critical vulnerabilities affecting React Server Components and frameworks built on top of them, including Next.js.
Summary
On December 3, 2025, the React and Next.js teams disclosed critical vulnerabilities:
- React Server Components vulnerability: React blog post
- Next.js CVE-2025-66478: Next.js advisory
These vulnerabilities could allow unauthorized access to server-side data in certain configurations of applications using React Server Components or affected Next.js versions.
Impact on WordPress VIP customers
A limited number of VIP customers run applications built on Next.js that are impacted by these disclosures.
WordPress VIP has:
- Reached out directly to all customers running affected versions of Next.js.
- Implemented protective mitigations to shield all VIP environments from known exploit patterns.
We will continue to monitor for emerging attack signatures and adjust our mitigation strategy as new information becomes available.
Recommended actions for customers
- If you operate a custom application using Next.js or React Server Components, please ensure you update immediately to a patched version as recommended by the upstream maintainers, and follow the guidelines our team shared directly with your organization.
- Review official vendor guidance and changelogs:
- If you are unsure whether your application is affected, please contact VIP Support.
Our commitment
Security is core to the WordPress VIP platform. We are actively collaborating with upstream maintainers and continuously refining mitigations to ensure all customer workloads remain protected. Updates will be provided if further information becomes available.