4 min read
As of December 4 at 21:04 UTC, various proof-of-concept (POC) exploits for CVE-2025-55182 are confirmed to be publicly available. This common vulnerabilities and exposures report (CVE) also impacted all Next.js apps between 15.0.0 and 16.0.6.
Please note: We will update this blog post as new information becomes available. We will also post on X each time there is an update. We recommend following Vercel on X and checking back here frequently for the latest.
We are actively monitoring traffic across our platform, and our initial data suggests threat actors are actively probing for vulnerable applications and trying to exploit them.
If your application is hosted on Vercel, our WAF is already filtering and blocking known exploit patterns. However, upgrading to a patched version is strongly recommended and the only complete fix. All users of React Server Components, whether through Next.js or any other framework, should update immediately.
Vercel has taken a defense-in-depth approach to ensure customers and the broader community are protected. Prior to the CVE announcement, we worked with the React Team to design WAF rules to block exploitation and globally delivered protection to all Vercel users at no cost. We also shared these mitigations with major CDN and WAF providers so they could prepare before this CVE was announced. We are constantly learning and improving our detections.
Today, we also shipped a change to block new deployments of projects using vulnerable versions of Next.js.
This post aims to provide clarity on the next steps for detection and mitigation for Vercel customers, and to broadly share answers to their most common questions.
Link to headingVulnerability detection and mitigation steps
Link to headingFor Next.js
Compare your version of Next.js against the table below. You can find your Next.js version through either of the following methods:
Load a page from your app and run
next.versionin the browser console to see the current versionInspect your project’s
package.jsonand look fornextin your project dependencies
If you are using a vulnerable version of Next.js you should update to a non-vulnerable version immediately.
Link to headingFor other frameworks
If you use another framework that implements React Server Components, consult the React Security Advisory posted on the react.dev blog. If you are running a vulnerable version of the affected software, you should update to a patched version immediately.
Link to headingFrequently asked questions
Link to headingHow do I know if I’m vulnerable to this CVE?
The most definitive way to understand your exposure is to check the version of React/Next that you have deployed against the CVE. See the Vulnerability detection and mitigation steps above for information on how to check this.
We have enabled a banner on vercel.com for our customers that informs you if the production deployment of a project contains a vulnerable version of next, react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack.
Please consider this an extra layer of defense and not a replacement for checking if you are running vulnerable versions directly.
Link to headingHow do I know if my app was exploited by CVE-2025-66478?
Vercel deployed WAF mitigations prior to the CVE announcement. As new exploit variants have emerged, we have identified and patched bypasses to our WAF rules. WAF rules are one layer of defense but can never guarantee 100% coverage. Upgrading to a patched version remains the only way to fully secure your application.
For additional assurance, we recommend reviewing your application logs and activity for unexpected behavior. This could include unusual POST requests or spikes in function timeouts. However, function timeouts do not reliably indicate compromise because attackers can craft payloads that complete successfully, and timeouts could simply indicate scanning or probing activity rather than successful exploitation.
Link to headingWhat are the protections available to me?
Upgrading to a patched version is the only complete fix. Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns, but WAF rules cannot guarantee protection against all possible variants of an attack.
You can ensure other deployments besides your production domain are protected by reviewing your deployment protection settings.
We are closely monitoring for new exploit variants and iterating on our WAF rules as new information emerges. As of this morning, December 5, we’ve deployed additional rules to cover newly identified attack patterns. Our team will continue to add further layers of protections and share updates as they become available.
Link to headingWhat if I am using canary-only features in Next.js?
If you are currently using canary-only features in Next.js you should still prioritize updating to a patched version. See the Required Action section of the Next.js Security Advisory for instructions on how to update to a patched Next.js version without having to disable canary-only features.
Link to headingHow can I test that the mitigations are working? Should I be using publicly available POCs to test if my application is secure?
We caution against using publicly available exploits against your production environment. Instead, we recommend following the above procedures to ensure all public deployments are using the latest versions of React Server Components and Next.js.
If you have a complex deployment that requires additional verification, we recommend testing in a sandboxed environment with synthetic data to avoid unintended consequences on your production services and data.
For additional questions, contact us at security@vercel.com.