On December 4, 2025, publicly available exploits emerged for React2Shell, a critical vulnerability in React Server Components affecting React 19 (CVE-2025-55182) and frameworks that use it like Next.js (CVE-2025-66478). The situation continues to be dynamic. We recommend checking this page and the Vercel Developers X Account frequently for the latest updates, and will continue to include them in the Vercel Dashboard as well.
The vulnerability affects Next.js versions 15.0.0 through 16.0.6. If you're running an affected version, upgrade immediately, regardless of other protections in place. Jump to How to upgrade for Next.js to learn how to protect your application.
| Date | Update |
| December 06, 9:05 PM PST | If your application was online and unpatched as of December 4th, 2025 at 1:00 PM PT, we strongly encourage you to rotate any secrets it uses, starting with your most critical ones. Information on patching secrets can be found in our docs. |
| December 05, 10:29 PM PST | Vercel has released an npm package to update your affected Next.js app. Use npx fix-react2shell-next or visit the GitHub page to learn more |
| December 05, 3:44 PM PST | Vercel has partnered with HackerOne for responsible disclosure of critical Vercel Platform Protection workarounds. Valid reports that demonstrate a successful bypass of Vercel protections will be rewarded for this CVE only. Bounties are $25,000 for high and $50,000 for critical. Visit the HackerOne page to participate. |
- Upgrading your application
- Understand what React2Shell is and if it affects you
- How to upgrade for Next.js
- How to upgrade for other frameworks
- Rotating environment variables
- Frequently asked questions
You should upgrade if:
- You're using Next.js 15.0.0 through 16.0.6: All Next.js applications running versions between 15.0.0 and 16.0.6 are affected by this vulnerability.
- You're using Next.js 14 canary versions: If you're using Next.js 14 canaries after 14.3.0-canary.76, you are also vulnerable and need to downgrade or upgrade.
- You're using React Server Components in any framework: This vulnerability affects React Server Components broadly. If you use RSC through Next.js or another framework, you need to update.
For Next.js, upgrading to a patched version is strongly recommended and the only complete fix. All users of React Server Components, whether through Next.js or any other framework, should update immediately. Learn how to upgrade for Next.js and other frameworks.
React2Shell is a critical vulnerability in React Server Components that affects React 19 and frameworks that use it. Under certain conditions, specially crafted requests could lead to unintended remote code execution.
The most reliable way to determine if you're vulnerable is to check your deployed version of React and Next.js. You need to verify the versions of:
nextreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
If you're using Vercel, you will see a banner on vercel.com when your production deployment contains a vulnerable version of these packages. This banner is an additional indication to review your deployment. Everyone should also check their versions directly.
Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns:
- Prior to the CVE announcement, Vercel worked with the React Team to design WAF rules to block exploitation and globally delivered protection to all Vercel users.
- Ongoing monitoring for new exploit variants with iterative WAF rule updates (as of December 5, 2025, additional rules were deployed to cover newly identified attack patterns)
WAF rules cannot guarantee protection against all possible variants of an attack.
We recommend turning on deployment protection for all your deployments besides your production domain by reviewing your deployment protection settings. Make sure that these preview or other environment deployments are not used by your production application before doing so.
The quickest way to get your Next.js application to the right version if its vulnerable is to use the fix-react2shell-next npm package by running the following command in the root of your application.
npx fix-react2shell-nextOnce tested, deploy your updated application as soon as possible. If you're deploying to Vercel, the platform already blocks new deployments of vulnerable versions and has WAF rules in place, but upgrading remains critical.
vercel --prodLoad a page from your app and run next.version in the browser console to see the current version or check your package.json to find your current Next.js version:
{ "dependencies": { "next": "15.3.4" }}Based on the following list, identify which patched release you need to upgrade to:
| Vulnerable version | Patched release |
|---|---|
| Next.js 15.0.x | 15.0.5 |
| Next.js 15.1.x | 15.1.9 |
| Next.js 15.2.x | 15.2.6 |
| Next.js 15.3.x | 15.3.6 |
| Next.js 15.4.x | 15.4.8 |
| Next.js 15.5.x | 15.5.7 |
| Next.js 16.0.x | 16.0.7 |
| Next.js 14 canaries after 14.3.0-canary.76 | Downgrade to 14.3.0-canary.76 (not vulnerable) |
| Next.js 15 canaries before 15.6.0-canary.58 | 15.6.0-canary.58 |
| Next.js 16 canaries before 16.1.0-canary.12 | 16.1.0-canary.12 and after |
Update your package.json:
{ "dependencies": { "next": "15.3.6" }}Run your package manager's install command:
# npmnpm install
# yarnyarn install
# pnpmpnpm install
# bunbun installOnce tested, deploy your updated application as soon as possible. If you're deploying to Vercel, the platform already blocks new deployments of vulnerable versions and has WAF rules in place, but upgrading remains critical.
vercel --prodIf you use another framework that implements React Server Components, consult the React Security Advisory posted on the react.dev blog. If you are running a vulnerable version of the affected software, you should update to a patched version immediately.
Assume your vulnerable systems are potentially compromised. Once you have patched your framework version and re-deployed your application, we recommend rotating all your application secrets. Learn how to rotate the environment variables for your Vercel team and projects.
- Review the official Next.js security advisory
- For additional questions, contact us at security@vercel.com.
We’ve released an npm package to scan for vulnerable packages and upgrade them. You can read the full details on the package page. Here’s an example run:
The most definitive way to understand your exposure is to check the version of React/Next that you have deployed against the CVE. See the Checking your vulnerability status above for information on how to check this.
We have enabled a banner on the vercel.com dashboard for our customers that informs you if the production deployment of a project contains a vulnerable version of next, react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack.
Please consider this an extra layer of defense and not a replacement for checking if you are running vulnerable versions directly.
You cannot definitely tell but we recommend reviewing your application logs and activity for unexpected behavior. This could include unusual POST requests or spikes in function timeouts. However, function timeouts do not reliably indicate compromise because attackers can craft payloads that complete successfully, and timeouts could simply indicate scanning or probing activity rather than successful exploitation.
Vercel deployed WAF mitigations prior to the CVE announcement. As new exploit variants have emerged, we have identified and patched bypasses to our WAF rules. WAF rules are one layer of defense but can never guarantee 100% coverage. Upgrading to a patched version remains the only way to fully secure your application.
Upgrading to a patched version is the only complete fix. Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns, but WAF rules cannot guarantee protection against all possible variants of an attack.
You can ensure other deployments besides your production domain are protected by reviewing your deployment protection settings.
We are closely monitoring for new exploit variants and iterating on our WAF rules as new information emerges. As of this morning, December 5, we’ve deployed additional rules to cover newly identified attack patterns. Our team will continue to add further layers of protections and share updates as they become available.
If you are currently using canary-only features in Next.js you should still prioritize updating to a patched version. See the Required Action section of the Next.js Security Advisory for instructions on how to update to a patched Next.js version without having to disable canary-only features.
We caution against using publicly available exploits against your production environment. Instead, we recommend following the above procedures to ensure all public deployments are using the latest versions of React Server Components and Next.js.
If you have a complex deployment that requires additional verification, we recommend testing in a sandboxed environment with synthetic data to avoid unintended consequences on your production services and data.
Vercel is rolling out patches to existing v0 chats automatically over the next few days. However, you should patch affected v0 apps immediately rather than wait for the automatic update.
To patch a v0 app manually:
- Open the deploy dialogue for your affected v0 chat
- Click the "Fix with v0" button
Note that v0 apps that are not published are unaffected by React2Shell.