You can now access Google's latest Gemini model, Gemini 3 Flash, with Vercel's AI Gateway and no other provider accounts required.

It is Google's most intelligent model that is optimized for speed, with Gemini 3's pro-grade reasoning alongside flash-level latency, efficiency, and cost. Gemini 3 Flash significantly outperforms the previous Gemini 2.5 models, beating Gemini 2.5 Pro across most benchmarks, while using 30% less tokens and is 3x faster at a fraction of the cost.

To use the Gemini 3 Flash with the AI SDK, set the model to google/gemini-3-flash:

1
import { streamText } from 'ai';
2

3
const result = streamText({
4
  model: 'google/gemini-3-flash',
5
  prompt:
6
    `Produce a step-by-step analysis that solves a novel
7
     problem, exposes intermediate logic, and delivers a final answer
8
     using minimal tokens and maximal inference density.`
9
  providerOptions: {
10
    google: {
11
      thinkingLevel: 'high',
12
      includeThoughts: true
13
    },
14
  },
15
});

AI Gateway provides a unified API for calling models, tracking usage and cost, and configuring retries, failover, and performance optimizations for higher-than-provider uptime. It includes built-in observability, Bring Your Own Key support, and intelligent provider routing with automatic retries.

Learn more about AI Gateway, view the AI Gateway model leaderboard or try it in our model playground.

Vercel Knowledge Base is a new home for guides, tutorials, and best practices for developers building on Vercel, including how to:

• Build agentic apps with the AI cloud

• Host your Backend with your preferred framework

• Secure your apps with Vercel's built-in features

You can use the Knowledge Base to find and explore guides for specific use cases with:

• Semantic AI search: describe what you're trying to achieve

• AI chat: ask our agent about a guide

• Filters: search guides by Vercel product or feature

You can now export the results from your Observability queries as CSV or JSON files. This allows you to analyze, share, and process your Vercel observability data outside of the Vercel dashboard.

Click the download icon on any query to export your query results instantly.

This feature is available for all teams with Observability Plus.

Try it out or learn more about Query.

Web Analytics now allows you to split data across any dimension.

You can now break down your Web Analytics data across any dimension, not just Flags and Flag Values. This update expands support to 11 dimensions, which are:

• Paths

• Routes

• Host names

• Countries

• Devices

• OS

• Referrers

• Flags

• Flag values

• Events names

• Event properties

With dimension splits and filters, you can dig deeper into user activity and better understand how different segments are using your application.

This feature is available to all Vercel users with the Web Analytics package installed. Web Analytics Plus subscribers also gain the enhanced capability of splitting data by UTM parameters.

Try it out or learn more about Web Analytics.

You can now add one or more cache tags to your Function response by importing the addCacheTag function from @vercel/functions npm package.

import { addCacheTag } from '@vercel/functions'

Once the cached response has a tag associated with it, you can later invalidate the cache in one of several ways:

• Dashboard Settings

• Vercel CLI

• Function API

• REST API

In addition to invalidating by tag, you can also dangerously delete by tag if the origin is gone. However, deleting the cache can increase latency while new content is generated or cause downtime if your origin is unresponsive, so use with caution.

Available on all plans and all frameworks.

Learn more about cache invalidation.

Push notifications are now available on both desktop and mobile, with support for all notification types.

To start receiving push notifications from Vercel:

• Go to Notification Settings in the Vercel dashboard

• Enable the push notification channel for any notification type

To allow mobile notifications on your phone:

• Open the Vercel Dashboard in your mobile browser

• Opt in to push notifications when prompted

Try it out or learn more about notifications.

For any request displayed on runtime logs in the Vercel dashboard, you can now view the referer (if any) for that request in the right hand details panel.

This allows you to understand the source of that request and more easily debug issues.

Try it out or learn more about Runtime Logs.

See the Security Bulletin for the latest updates.

Link to headingSummary

Two additional vulnerabilities in React Server Components have been identified: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183). These issues were discovered while security researchers examined the patches for the original React2Shell vulnerability. The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779.

Importantly, none of these new issues allow for Remote Code Execution.

We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required.

Link to headingImpact

Link to headingDenial of Service (CVE-2025-55184)

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU.

Link to headingSource Code Exposure (CVE-2025-55183)

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Action's code.

These vulnerabilities are present in versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 of the following packages:

• react-server-dom-parcel

• react-server-dom-webpack

• react-server-dom-turbopack

These packages are included in the following frameworks and bundlers:

• Next.js: 13.x, 14.x, 15.x, and 16.x.

• Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)

Link to headingResolution

After creating mitigations to address these vulnerabilities, we deployed them across our globally-distributed platform to protect our customers. We still recommend upgrading to the latest patched version.

Updated releases of React and affected downstream frameworks include fixes to prevent these issues. All users should upgrade to a patched version as soon as possible.

Link to headingFixed in

• React: 19.0.2, 19.1.3, 19.2.2.

• Next.js: 14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 15.6.0-canary.60, 16.0.10, 16.1.0-canary.19.

Frameworks and bundlers using the aforementioned packages should install the latest versions provided by their respective maintainers.

Link to headingCredit

Thanks to RyotaK from GMO Flatt Security Inc. and Andrew MacPherson for identifying and responsibly reporting these vulnerabilities, and the Meta Security and React teams for their partnership.

Link to headingReferences

• Next.js Security Update: December 11, 2025

• React Blog: Denial of Service and Source Code Exposure in React Server Components

• React security advisory (CVE-2025-55183)

• React security advisory (CVE-2025-55184)