16.0.8 contains the patch for React2Shell but there were two other vulnerabilities announced today, which is why the second update was needed. This pattern is typical as one security incident attracts a lot of attention from security researchers who then find new exploits.
You can read more about the newer CVEs here
My project has been upgraded to the latest versions of React and Next.js, but Vercel still shows a security warning about React2Shell. I have also enabled Vercel Authentication. So why is it still affected? There is an Upgrade button, but when I click it, it throws an error, so now I can’t check where exactly the project is having issues.
Here’s the latest:
