[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live) [Announcements](/c/announcements/27) # Security advisory for React2Shell 2269 views · 20 likes · 22 posts Amy Egan (@amyegan) · 2025-12-03 · ♥ 6 A critical vulnerability in React Server Components (CVE 2025-55182) has been responsibly disclosed. It affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478) * If you are using Next.js, every version between Next.js 15 and 16 is affected, and we recommend immediately updating to the latest Next.js version containing the appropriate fixes (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7) * If you are using another framework using Server Components, we also recommend immediately updating to the latest React version containing the appropriate fixes (19.0.1, 19.1.2, and 19.2.1) Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns. However, WAF rules cannot guarantee protection against all possible variants of an attack. **Please upgrade to patched versions immediately.** https://vercel.com/changelog/summary-of-CVE-2025-55182 ### Resources http://vercel.com/react2shell BestCodes (@bestcodes) · 2025-12-06 · ♥ 4 I have my old personal site deployed on a VM and was running Next.js 16.0.1 I think? Anyway, I did see people trying to exploit it in my logs, and I've seen some PoCs on GitHub as well. This is certainly very serious! Chintan (@techchintan) · 2025-12-08 · ♥ 3 I found this vercel bulletin very helpful - https://vercel.com/kb/bulletin/react2shell Pauline P. Narvas (@pawlean) · 2025-12-08 · ♥ 1 https://x.com/vercel_dev/status/1998049804119843048 Pauline P. Narvas (@pawlean) · 2025-12-09 https://x.com/vercel_dev/status/1998240590379860222?s=20 Pauline P. Narvas (@pawlean) · 2025-12-09 https://x.com/vercel_dev/status/1998449348867404055?s=20 Chintan (@techchintan) · 2025-12-09 After the recent Critical Security Vulnerability, I have fixed it in my client’s project using [React2Shell bulletin by vercel](https://vercel.com/kb/bulletin/react2shell). The vercel dashboard is still showing the same Vulnerability. As per the official doc, [React2Shell bulletin by vercel](https://vercel.com/kb/bulletin/react2shell), [CVE-2025-66478 by nextjs](https://nextjs.org/blog/CVE-2025-66478) and [react.dev blog](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) I have upgraded Next.js from **16.0.0** to **16.0.7**  but, dashboard still showing Vulnerability(as shown below). Even `npx fix-react2shell-next` is returning *No Vulnerability Found.*  Not sure what I’m missing. Please help me fix this issue. Anshuman Bhardwaj (@anshumanb) · 2025-12-09 Hi @techchintan, are all the projects in this list have been fixed manually by you? Are there any open PR's on them? The warning is about "preview" deployments, which ideally your customers won't access. To fix this message, ensure you have **Vercel Authentication** enabled in your project settings:  dm-greenlight (@dm-greenlight) · 2025-12-09 I’m having the same problem as @techchintan. I confirmed that one of my projects has been patched for all active deployments (I am in the middle of handling for all projects). However, that project is still showing up under the “Vulnerable Projects” list. Why do we need to enable Vercel Authentication in order for this warning to clear? I have already patched all deployments with the latest version of Next. Anshuman Bhardwaj (@anshumanb) · 2025-12-10 · ♥ 1 Hi @dm-greenlight, thanks for elaborating. I think the reason is that some old preview deployments are still using the vulnerable versions. This is why enabling Vercel Authentication will prevent "public users" from accessing vulnerable versions. I hope this answers your question. Chintan (@techchintan) · 2025-12-10 · ♥ 1 Thanks for your reply, Anshuman. 1. No, I used the command `npx fix-react2shell-next`, and there is no open PR. 2. Yes, it seems you are correct. After enabling “**Vercel Authentication”,** errors are resolved. Thanks again, @anshumanb, for the heads up. dm-greenlight (@dm-greenlight) · 2025-12-10 No, this is not correct. For these projects, I have no active vulnerable deployments. Both my preview and production deployments include the patched versions. Chintan (@techchintan) · 2025-12-10 Hi @dm-greenlight , Are your projects enabled with **Vercel Authentication**? Recently, Vercel improved the vulnerability fix listing view on the dashboard, making it much clearer and more specific. If you could share the fix list for your project, it would help us understand the problem better. Looking forward to your response. Best, Chintan dm-greenlight (@dm-greenlight) · 2025-12-10 No, Vercel authentication is not enabled. That is the whole point I’m trying to make. I have patched all of the deployments. I do not want to have to enable Vercel authentication. It should not be necessary if all the deployments are patched, correct? Chintan (@techchintan) · 2025-12-10 I agree with your point that it’s not essential to enable it. However, as @anshumanb mentioned, some older preview deployments are still using vulnerable versions. If you enable Vercel Authentication for a few hours and then disable it again, the warning will be resolved on the Vercel dashboard. I tried this for both of my projects, and it worked. dm-greenlight (@dm-greenlight) · 2025-12-10 Sounds like a Vercel bug then. Anshuman Bhardwaj (@anshumanb) · 2025-12-10 · ♥ 1 Hi @dm-greenlight, if you are sure that all deployments are using the patched versions, feel free to ignore the warning. I'll share with the team and maybe there's a case/reason I'm missing. Thanks for bringing it up. dm-greenlight (@dm-greenlight) · 2025-12-11 · ♥ 1 I think I figured it out now. Apparently, there has been an update. Any versions prior to 16.0.9 are now considered vulnerable. I updated to 16.0.8 as originally advised. But now even that version is considered vulnerable. Once I updated to 16.0.9, the warning has cleared for me. Teekola (@teekola) · 2025-12-12 Enabling the “Vercel Authentication” option seems to mess with NextAuth, which breaks both production and preview deployments of one of my apps. It would be nice if there was an easy way to delete all old deployments with the vulnerability instead (using the API seems annoying as there are some rate limits to how many deployments can be deleted at once). Jacob Paris (@jacobparis) · 2025-12-12 · ♥ 1 16.0.8 contains the patch for React2Shell but there were two other vulnerabilities announced today, which is why the second update was needed. This pattern is typical as one security incident attracts a lot of attention from security researchers who then find new exploits. You can read more about the newer CVEs here https://community.vercel.com/t/react-server-components-security-update-dos-and-source-code-exposure/29708 Leoanhvig (@leoanhvig) · 2026-01-16 My project has been upgraded to the latest versions of React and Next.js, but Vercel still shows a security warning about React2Shell. I have also enabled Vercel Authentication. So why is it still affected? There is an **Upgrade** button, but when I click it, it throws an error, so now I can’t check where exactly the project is having issues.   Pauline P. Narvas (@pawlean) · 2026-01-27 · ♥ 1 Here's the latest: https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
