React Server Components security update: DoS and Source Code Exposure

jacobparis · December 12, 2025, 5:09am

Two additional vulnerabilities in React Server Components have been identified: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183). These issues were discovered while security researchers examined the patches for the original React2Shell vulnerability.

Importantly, neither of these new issues allow for Remote Code Execution. The patch for React2Shell remains fully effective.

We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required.

Fixed in

React: 19.0.2, 19.1.3, 19.2.2.
Next.js: 14.2.34, 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 15.6.0-canary.59, 16.0.9, 16.1.0-canary.18.

Frameworks and bundlers using the aforementioned packages should install the latest versions provided by their respective maintainers.

Read the full changelog:

leoanhvig · January 15, 2026, 9:59am

I have followed and implemented the instructions, but Vercel is still showing a warning about react2shell. This is my package.json file—please help explain why the warning is still appearing.

“dependencies”: {

“@dicebear/collection”: “^9.2.3”,

“@dicebear/core”: “^9.2.3”,

“@dnd-kit/modifiers”: “^9.0.0”,

“@dnd-kit/sortable”: “^10.0.0”,

“@hookform/resolvers”: “^5.2.0”,

“@sendgrid/mail”: “^8.1.5”,

“@tanstack/react-query”: “^5.84.0”,

“@tanstack/react-table”: “^8.21.3”,

“axios”: “^1.11.0”,

“class-variance-authority”: “^0.7.1”,

“clsx”: “^2.1.1”,

“cmdk”: “^1.1.1”,

“date-fns”: “^4.1.0”,

“firebase”: “^12.6.0”,

“i18next”: “^25.3.4”,

“i18next-browser-languagedetector”: “^8.2.0”,

“lodash”: “^4.17.21”,

“lucide-react”: “^0.526.0”,

“next”: “^16.1.2”,

“next-themes”: “^0.4.6”,

“nextjs-toploader”: “^3.9.17”,

“nuqs”: “^2.8.5”,

“radix-ui”: “^1.4.3”,

“react”: “^19.2.3”,

“react-day-picker”: “^9.12.0”,

“react-dom”: “^19.2.3”,

“react-hook-form”: “^7.68.0”,

“react-i18next”: “^16.5.0”,

“recharts”: “^2.15.4”,

“sonner”: “^2.0.6”,

“tailwind-merge”: “^3.3.1”,

“tw-animate-css”: “^1.4.0”,

“zod”: “^4.2.1”,

“zustand”: “^5.0.9”

},

“devDependencies”: {

“@eslint/eslintrc”: “^3.3.3”,

“@tailwindcss/postcss”: “^4.1.18”,

“@types/lodash”: “^4.17.21”,

“@types/node”: “^22”,

“@types/react”: “^19.2.7”,

“@types/react-dom”: “^19.2.3”,

“eslint”: “^9.39.2”,

“eslint-config-next”: “16.1.2”,

“tailwindcss”: “^4”,

“typescript”: “^5”

}

jacobparis · January 19, 2026, 3:20pm

Can you share the name of the project? I see two React2Shell warnings but the build logs don’t match those dependencies so I don’t think it’s the same one

Topic		Replies	Views
Security advisory for React2Shell Announcements nextjs , handbook , security	22	2219	January 27, 2026
Still showing CVE-2025-66478/CVE-2025-55182 on Vercel dashboard Help nextjs , react , security	2	153	December 23, 2025
Resolving the react2shell warning on Vercel Help nextjs , react , builds	4	36	January 21, 2026
News Cache (2025-12-15) Announcements news-cache	3	113	December 16, 2025
Should I manually update React/React-DOM after running npx fix-react2shell-next? Help nextjs , react	2	112	December 12, 2025

React Server Components security update: DoS and Source Code Exposure

Fixed in

Related topics