Date: December 4, 2025
Status: Not Affected
Summary
A critical remote code execution vulnerability (CVE-2025-66478, CVSS 10.0) was recently disclosed affecting Next.js applications using the App Router with React Server Components.
Impact Assessment
The Aurora platform is not affected by this vulnerability.
After a thorough review of our codebase, we have confirmed that our applications use the Next.js Pages Router architecture, which is explicitly excluded from the scope of this vulnerability. According to Vercel's official security advisory, Pages Router applications are not susceptible to this exploit.
Actions Taken
Despite not being vulnerable, we are proactively updating our Next.js dependency from version 15.1.7 to 15.1.9 as part of our commitment to security best practices and maintaining up-to-date dependencies.
References
- https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
- https://nextjs.org/blog/CVE-2025-66478
Questions
If you have any questions regarding this advisory, please contact your account representative or our support team.
