Question about CVE-2025-66478 and create-next-app

[fortenforge]

Summary

We noticed that running:

npx create-next-app@latest [project-name] [options]

Creates a project with:

"dependencies": {
    "next": "16.0.7",
    "react": "19.2.0",
    "react-dom": "19.2.0"
  },

The next version (16.0.7) includes a fix for CVE-2025-66478, but the react and react-dom versions are still vulnerable. What does this mean? Is the resulting application still vulnerable or not?

Additional information

No response

Example

No response

[ibrahimpelumi6142]

React 19.2.0 isn’t affected by this CVE. The vulnerability was in Next.js’ RSC and Server Actions handling, not React itself. That logic lives entirely in Next.js’ server runtime.

Since create-next-app installs Next.js 16.0.7 (which includes the patch), the generated project is not vulnerable to CVE-2025-6647 even though React stays at 19.2.0.

[icyJoseph]

https://nextjs.org/docs#react-version-handling

When you use App Router, Next.js manages the version of React. In this case, upgrading Next.js to 16.0.7 includes the React patch.

As you can see here, the least three patches contain the fix: https://github.com/facebook/react/releases for React Flight protocol which handles Server Functions, that patches React version, for example 19.2.1 - While: https://github.com/vercel/next.js/releases/tag/v16.0.7 (and every other release Next.js has done for this CVE) contains the patches for React as well.

You may also upgrade your react and react-dom dependencies too, but in App Router applications, it is Next.js that handles has a vendored/compiled version of React within its source control.