Urgent Security Advisory: New React Server Component Vulnerabilities (CVE-2025-55184, CVE-2025-55183)

Following the React2Shell disclosure, increased community research into React Server Components has uncovered two additional critical vulnerabilities requiring immediate patching: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183). These vulnerabilities affect React 19 and frameworks built upon it, such as Next.js. It's important to note that neither of these new issues allows for Remote Code Execution.

The security community plays a crucial role in strengthening the ecosystem by continuously testing and identifying potential weaknesses, for which we are grateful.

Urgent Action Required

These vulnerabilities specifically affect React versions 19.0.0 through 19.2.1 and Next.js versions 13.x through 16.x. If you are running an affected version, you must upgrade immediately, regardless of any other protective measures in place.

An initial fix deployed on December 11 was later found to be incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in the identification of a new vulnerability, CVE-2025-67779. Therefore, everyone must upgrade to the latest patched versions as detailed in the "Patched versions" table below.

We recommend monitoring this page and the Vercel Developers X Account frequently for the latest updates. Updates will also be included in the Vercel Dashboard.

---

When to Upgrade Your Application

These vulnerabilities are present in React versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 of the following packages:

• react-server-dom-parcel
• react-server-dom-webpack
• react-server-dom-turbopack

These packages are typically included in frameworks and bundlers such as:

• Next.js: 13.x, 14.x, 15.x, and 16.x
• Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)

---

Understanding CVE-2025-55184 and CVE-2025-55183

Denial of Service (CVE-2025-55184)

A specially crafted malicious HTTP request can be sent to any App Router endpoint. When this request is deserialized, it can cause the server process to hang and consume excessive CPU resources, leading to a denial-of-service condition.

Source Code Exposure (CVE-2025-55183)

A malicious HTTP request can be crafted and sent to any App Router endpoint that, if successful, can return the compiled source code of Server Actions. While this could reveal business logic, it would not expose secrets unless they were hardcoded directly into the Server Action's code.

---

Vercel WAF Protection

Vercel has created and deployed new Web Application Firewall (WAF) rules designed to address these vulnerabilities. These rules automatically protect all projects hosted on Vercel at no additional cost.

While Vercel WAF rules provide an essential additional layer of defense by filtering known exploit patterns, they cannot guarantee protection against all possible variants of an attack. Immediate upgrades to a patched version remain the primary and required course of action.

---

How to Upgrade and Protect Your Next.js App

Vercel Security Actions Dashboard

Vercel offers a unified dashboard that highlights any security issues requiring action from your team and provides clear remediation steps. You can view your security actions dashboard.

Vercel Deployment Protection

Even if your production application has been patched, older deployments might still be vulnerable. We strongly recommend enabling Standard Protection for all deployments except your primary production domain.

You can identify projects without deployment protection in your security actions dashboard or by reviewing your deployment protection settings. Ensure that preview deployments and deployments from other environments are not accessed by external users without protection bypass. For detailed information, consult the documentation.

Additionally, audit shareable links from your deployments. If you've disabled deployment protection to share domains pointing to preview or custom environment deployments, you should implement deployment protection exceptions and verify that all deployments on the exception list have been patched.

Version Upgrade Methods

Automated Upgrade with Vercel Agent

Vercel Agent can automatically detect vulnerable projects and open pull requests that upgrade your code to patched versions. You can view vulnerable projects and initiate upgrades directly from the Vercel security actions dashboard.

Upgrade with the Command Line Tool

To quickly update your Next.js project to the correct version, use the fix-react2shell-next command-line tool, which has been updated to address these additional vulnerabilities.

Run the following command to check your versions and apply upgrades:

npx fix-react2shell-next

Once tested, deploy your updated application as soon as possible. Refer to the deployment guide for instructions.

Manual Upgrade

1. Identify your current version Load a page from your app and run next.version in the browser console, or check your package.json file:

   {
     "dependencies": {
       "next": "15.3.4"
     }
   }
   

2. Update to the patched version Based on the following list, identify the patched release you need to upgrade to:

   Patched versions

   Version	DoS (CVE-2025-55184)	Source Code Exposure (CVE-2025-55183)	Fixed In
   Next.js >=13.3	✔️	—	Upgrade to 14.2.35
   Next.js 14.x	✔️	—	14.2.35
   Next.js 15.0.x	✔️	✔️	15.0.7
   Next.js 15.1.x	✔️	✔️	15.1.11
   Next.js 15.2.x	✔️	✔️	15.2.8
   Next.js 15.3.x	✔️	✔️	15.3.8
   Next.js 15.4.x	✔️	✔️	15.4.10
   Next.js 15.5.x	✔️	✔️	15.5.9
   Next.js 15.x canary	✔️	✔️	15.6.0-canary.60
   Next.js 16.0.x	✔️	✔️	16.0.10
   Next.js 16.0.x canary	✔️	✔️	16.1.0-canary.19

   Next.js Pages Router applications are not affected.

   If you're currently using canary releases to enable PPR, you can update to 15.6.0-canary.60, which includes a fix for the vulnerability while continuing to support PPR. For other ways to patch older versions, refer to this discussion post.

   Update your package.json file accordingly:

   {
     "dependencies": {
       "next": "15.3.7"
     }
   }
   

3. Install dependencies and update lockfile Always commit lockfile changes alongside package.json changes. Run your package manager's install command:

   # npm
   npm install
   
   # yarn
   yarn install
   
   # pnpm
   

pnpm install

# bun

bun install ```

4. Deploy immediately Once tested, deploy your updated application as soon as possible. See the deployment guide for instructions.

   If you're deploying to Vercel, the platform already blocks new deployments of vulnerable versions and has WAF rules in place, but upgrading remains critical. If you deploy via Git, pushing your changes will trigger a preview build with the patched version, and merging will promote that build to production. You can also create a Manual Deployment from the Vercel Dashboard to publish the fix immediately. If you are using the Vercel CLI, deploy with this command:

   vercel --prod
   

---

Rotating Environment Variables

Rotating environment variables is recommended only if secrets were previously stored as plain text directly within your codebase. Learn how to rotate the environment variables for your Vercel team and projects.

How to Upgrade Other Frameworks

If you use another framework that implements React Server Components, consult the upgrade instructions from the React2Shell blog post on the react.dev blog, which still apply. For more information, read the new React blog post on the new vulnerabilities.

If you are running a vulnerable version of the affected software, you should update to a patched version immediately.

---

Next Steps

• Review the official Next.js security advisory blog post for further details.
• For additional questions, contact us at security@vercel.com.