Following the React2Shell disclosure, increased community research into React Server Components surfaced two additional vulnerabilities that require patching: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183). They affect React 19 and frameworks that use it, like Next.js.
Neither of these new issues allow for Remote Code Execution.
Critical CVEs often lead to follow ups. Once a patch lands, researchers dig deeper, looking for bypasses, variants, or missed edge cases. We are grateful to the security community for continuing to test and help strengthen the ecosystem.
We recommend checking this page and the Vercel Developers X Account frequently for the latest updates, and will continue to include them in the Vercel Dashboard as well.
These vulnerabilities affect React versions 19.0.0 through 19.2.1 and Next.js versions 13.x through 16.x.
If you're running an affected version, upgrade immediately, regardless of other protections in place.
Jump to the How to upgrade and protect your Next.js app guide to learn how to patch and protect your application.
- When to upgrade your application
- Understanding CVE-2025-55184 and CVE-2025-55183
- How to upgrade and protect your Next.js app
- How to upgrade other frameworks
These vulnerabilities are present in React versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 of the following packages:
react-server-dom-parcelreact-server-dom-webpackreact-server-dom-turbopack
These packages are included in the following frameworks and bundlers:
- Next.js:
13.x,14.x,15.x, and16.x - Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)
Denial of Service (CVE-2025-55184)
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU.
Source Code Exposure (CVE-2025-55183)
A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into the Server Action’s code.
We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost.
Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns.
WAF rules cannot guarantee protection against all possible variants of an attack. Immediate upgrades to a patched version are required.
In this section:
Vercel provides a unified dashboard that surfaces any security issues requiring action from your team, including remediation steps. View your security actions dashboard.
Even if your production app has been patched, older versions could still be vulnerable. We strongly recommend turning on Standard Protection for all deployments besides your production domain.
You can see a list of projects without deployment protection in your security actions dashboard or by reviewing your deployment protection settings.
Make sure that preview deployments and deployments from other environments are not used by external users without protection bypass first (see the documentation for details).
You should also audit shareable links from your deployments. If you have disabled deployment protection to share domains that point to preview or custom environment deployments, you should implement deployment protection exceptions and make sure that all deployments added to the exception list have been patched.
Vercel Agent can automatically detect vulnerable projects and open PRs that upgrade your code to patched versions.
View vulnerable projects and initiate upgrades in the Vercel security actions dashboard.
You can quickly update your Next.js project to the right version by using the fix-react2shell-next command-line tool, which has been updated to fix these additional vulnerabilities.
Run the following command to check your versions and apply upgrades:
npx fix-react2shell-nextOnce tested, deploy your updated application as soon as possible. See the deployment guide for instructions.
1. Identify your current version
Load a page from your app and run next.version in the browser console to see the current version, or check your package.json:
{ "dependencies": { "next": "15.3.4" }}2. Update to the patched version
Based on the following list, identify which patched release you need to upgrade to:
| Version | DoS (CVE-2025-55184) | Source Code Exposure (CVE-2025-55183) | Fixed In |
|---|---|---|---|
| Next.js >=13.3 | ✔️ | — | Upgrade to 14.2.34 |
| Next.js 14.x | ✔️ | — | 14.2.34 |
| Next.js 15.0.x | ✔️ | ✔️ | 15.0.6 |
| Next.js 15.1.x | ✔️ | ✔️ | 15.1.10 |
| Next.js 15.2.x | ✔️ | ✔️ | 15.2.7 |
| Next.js 15.3.x | ✔️ | ✔️ | 15.3.7 |
| Next.js 15.4.x | ✔️ | ✔️ | 15.4.9 |
| Next.js 15.5.x | ✔️ | ✔️ | 15.5.8 |
| Next.js 15.x canary | ✔️ | ✔️ | 15.6.0-canary.59 |
| Next.js 16.0.x | ✔️ | ✔️ | 16.0.9 |
| Next.js 16.0.x canary | ✔️ | ✔️ | 16.1.0-canary.18 |
Next.js Pages Router applications are not affected.
Update your package.json:
{ "dependencies": { "next": "15.3.7" }}3 . Install dependencies and update lockfile
Always commit lockfile changes with together with package.json changes.
Run your package manager's install command:
# npmnpm install
# yarnyarn install
# pnpmpnpm install
# bunbun install4. Deploy immediately
Once tested, deploy your updated application as soon as possible. See the deployment guide for instructions.
If you're deploying to Vercel, the platform already blocks new deployments of vulnerable versions and has WAF rules in place, but upgrading remains critical.
If you deploy via Git, pushing your changes will trigger a preview build with the patched version, and merging will promote that build to production.
You can also create a Manual Deployment from the Vercel Dashboard to publish the fix immediately.
If you are using the Vercel CLI, deploy with this command:
vercel --prodIf you use another framework that implements React Server Components, consult the upgrade instructions from the React2Shell blog post on the react.dev blog, which still apply.
For more information, read the new React blog post on the new vulnerabilities.
If you are running a vulnerable version of the affected software, you should update to a patched version immediately.
- Review the official Next.js security advisory blog post
- For additional questions, contact us at security@vercel.com