Security advisory for React2Shell

A critical vulnerability in React Server Components (CVE 2025-55182) has been responsibly disclosed. It affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478)

• If you are using Next.js, every version between Next.js 15 and 16 is affected, and we recommend immediately updating to the latest Next.js version containing the appropriate fixes (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7)

• If you are using another framework using Server Components, we also recommend immediately updating to the latest React version containing the appropriate fixes (19.0.1, 19.1.2, and 19.2.1)

Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns. However, WAF rules cannot guarantee protection against all possible variants of an attack. Please upgrade to patched versions immediately.

Resources

I have my old personal site deployed on a VM and was running Next.js 16.0.1 I think? Anyway, I did see people trying to exploit it in my logs, and I’ve seen some PoCs on GitHub as well. This is certainly very serious!

I found this vercel bulletin very helpful - https://vercel.com/kb/bulletin/react2shell

After the recent Critical Security Vulnerability, I have fixed it in my client’s project using React2Shell bulletin by vercel. The vercel dashboard is still showing the same Vulnerability.

As per the official doc, React2Shell bulletin by vercel, CVE-2025-66478 by nextjs and react.dev blog I have upgraded Next.js from 16.0.0 to 16.0.7

image1137×395 24.5 KB

but, dashboard still showing Vulnerability(as shown below). Even npx fix-react2shell-next is returning No Vulnerability Found.

image1258×292 24.8 KB

Not sure what I’m missing. Please help me fix this issue.

Hi @techchintan, are all the projects in this list have been fixed manually by you? Are there any open PR’s on them?

The warning is about “preview” deployments, which ideally your customers won’t access.

To fix this message, ensure you have Vercel Authentication enabled in your project settings:

CleanShot 2025-12-09 at 17.27.00@2x2526×812 123 KB

I’m having the same problem as @techchintan.

I confirmed that one of my projects has been patched for all active deployments (I am in the middle of handling for all projects). However, that project is still showing up under the “Vulnerable Projects” list.

Why do we need to enable Vercel Authentication in order for this warning to clear? I have already patched all deployments with the latest version of Next.

Hi @dm-greenlight, thanks for elaborating.

I think the reason is that some old preview deployments are still using the vulnerable versions. This is why enabling Vercel Authentication will prevent “public users” from accessing vulnerable versions.

I hope this answers your question.

Thanks for your reply, Anshuman.

1. No, I used the command npx fix-react2shell-next, and there is no open PR.
2. Yes, it seems you are correct. After enabling “Vercel Authentication”, errors are resolved.

Thanks again, @anshumanb, for the heads up.

No, this is not correct. For these projects, I have no active vulnerable deployments. Both my preview and production deployments include the patched versions.

Hi @dm-greenlight ,

Are your projects enabled with Vercel Authentication?

Recently, Vercel improved the vulnerability fix listing view on the dashboard, making it much clearer and more specific.

If you could share the fix list for your project, it would help us understand the problem better.

Looking forward to your response.

Best,
Chintan

No, Vercel authentication is not enabled. That is the whole point I’m trying to make. I have patched all of the deployments. I do not want to have to enable Vercel authentication. It should not be necessary if all the deployments are patched, correct?

I agree with your point that it’s not essential to enable it.

However, as @anshumanb mentioned, some older preview deployments are still using vulnerable versions. If you enable Vercel Authentication for a few hours and then disable it again, the warning will be resolved on the Vercel dashboard. I tried this for both of my projects, and it worked.

Sounds like a Vercel bug then.

Hi @dm-greenlight, if you are sure that all deployments are using the patched versions, feel free to ignore the warning.

I’ll share with the team and maybe there’s a case/reason I’m missing.

Thanks for bringing it up.

I think I figured it out now.

Apparently, there has been an update. Any versions prior to 16.0.9 are now considered vulnerable.

I updated to 16.0.8 as originally advised. But now even that version is considered vulnerable.

Once I updated to 16.0.9, the warning has cleared for me.

Enabling the “Vercel Authentication” option seems to mess with NextAuth, which breaks both production and preview deployments of one of my apps. It would be nice if there was an easy way to delete all old deployments with the vulnerability instead (using the API seems annoying as there are some rate limits to how many deployments can be deleted at once).