Question about CVE-2025-66478 and create-next-app

[fortenforge]

Summary

We noticed that running:

npx create-next-app@latest [project-name] [options]

Creates a project with:

"dependencies": {
    "next": "16.0.7",
    "react": "19.2.0",
    "react-dom": "19.2.0"
  },

The next version (16.0.7) includes a fix for CVE-2025-66478, but the react and react-dom versions are still vulnerable. What does this mean? Is the resulting application still vulnerable or not?

Additional information

No response

Example

No response

[ibrahimpelumi6142]

React 19.2.0 isn’t affected by this CVE. The vulnerability was in Next.js’ RSC and Server Actions handling, not React itself. That logic lives entirely in Next.js’ server runtime.

Since create-next-app installs Next.js 16.0.7 (which includes the patch), the generated project is not vulnerable to CVE-2025-6647 even though React stays at 19.2.0.