React2Shell
The morning of December 4th, 2025. A critical RSC vulnerability is on the front page. Your app is on Next 15.4. You have an hour before standup.
Briefing
CVE-2025-66478 was disclosed at 11:00 PT on December 3rd, 2025. The Next.js advisory describes 'an insecure deserialization vulnerability where the server fails to properly validate the structure of incoming RSC payloads.' Affected: Next.js 15.x, 16.x, and 14.3.0-canary.77+ when the App Router is used. Not affected: Pages Router, Edge Runtime, Next 13.x, Next 14.x stable. You inherited this app three months ago. Start by figuring out what version it actually runs.
Your role
On-call SRE for a SaaS app running Next.js. The advisory dropped overnight. You have a production app to triage before anyone else is awake.
Objective
Confirm whether your app is exposed, find any evidence of pre-patch exploitation in the access logs, and prepare the rollout plan, all from defensive logs only.
Terminal environment
- user
- responder
- host
- edge-prod-02
- cwd
- /srv/forge-web
- steps
- 8
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.