Security Bulletin: CVE-2025-55184 and CVE-2025-55183

Following the React2Shell disclosure, increased community research into React Server Components surfaced two additional vulnerabilities that require patching: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183). They affect React 19 and frameworks that use it, like Next.js.

Neither of these new issues allow for Remote Code Execution.

Critical CVEs often lead to follow ups. Once a patch lands, researchers dig deeper, looking for bypasses, variants, or missed edge cases. We are grateful to the security community for continuing to test and help strengthen the ecosystem.

We recommend checking this page and the Vercel Developers X Account frequently for the latest updates, and will continue to include them in the Vercel Dashboard as well.

Required action

These vulnerabilities affect React versions 19.0.0 through 19.2.1 and Next.js versions 13.x through 16.x.

If you're running an affected version, upgrade immediately, regardless of other protections in place.

Jump to the How to upgrade and protect your Next.js app guide to learn how to patch and protect your application.

Updates

DateUpdateDecember 11, 4:31 PM PSTThe initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779. Everyone must upgrade to the latest patched versions listed in the Patched versions table.

In this bulletin:

• When to upgrade your application

• Understanding CVE-2025-55184 and CVE-2025-55183

• How to upgrade and protect your Next.js app

  • Vercel security actions dashboard

  • Vercel deployment protection

  • Version upgrade methods

  • Rotating environment variables

• How to upgrade other frameworks

When to upgrade your application

These vulnerabilities are present in React versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 of the following packages:

• react-server-dom-parcel

• react-server-dom-webpack

• react-server-dom-turbopack

These packages are included in the following frameworks and bundlers:

• Next.js: 13.x, 14.x, 15.x, and 16.x

• Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)

Understanding CVE-2025-55184 and CVE-2025-55183

Denial of Service (CVE-2025-55184)

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU.

Source Code Exposure (CVE-2025-55183)

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into the Server Action’s code.

Vercel WAF protection

We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost.

Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns.

WAF rules cannot guarantee protection against all possible variants of an attack. Immediate upgrades to a patched version are required.

How to upgrade and protect your Next.js app

In this section:

• Vercel security actions dashboard

• Vercel deployment protection

• Version upgrade methods

  • Automated upgrade with Vercel Agent

  • Upgrade with the command line tool

  • Manual upgrade

• Rotating environment variables

Vercel security actions dashboard

Vercel provides a unified dashboard that surfaces any security issues requiring action from your team, including remediation steps. View your security actions dashboard.

Vercel deployment protection

Even if your production app has been patched, older versions could still be vulnerable. We strongly recommend turning on Standard Protection for all deployments besides your production domain.

You can see a list of projects without deployment protection in your security actions dashboard or by reviewing your deployment protection settings.

Make sure that preview deployments and deployments from other environments are not used by external users without protection bypass first (see the documentation for details).

You should also audit shareable links from your deployments. If you have disabled deployment protection to share domains that point to preview or custom environment deployments, you should implement deployment protection exceptions and make sure that all deployments added to the exception list have been patched.

Version upgrade methods

Automated upgrade with Vercel Agent

Vercel Agent can automatically detect vulnerable projects and open PRs that upgrade your code to patched versions.

View vulnerable projects and initiate upgrades in the Vercel security actions dashboard.

Upgrade with the command line tool

You can quickly update your Next.js project to the right version by using the fix-react2shell-next command-line tool, which has been updated to fix these additional vulnerabilities.

Run the following command to check your versions and apply upgrades:

terminal

npx fix-react2shell-next

Once tested, deploy your updated application as soon as possible. See the deployment guide for instructions.

Manual upgrade

1. Identify your current version

Load a page from your app and run next.version in the browser console to see the current version, or check your package.json:

package.json

{

"dependencies": {

"next": "15.3.4"

}

}

2. Update to the patched version

Based on the following list, identify which patched release you need to upgrade to:

Patched versions

VersionDoS (CVE-2025-55184)Source Code Exposure (CVE-2025-55183)Fixed InNext.js >=13.3✔️—Upgrade to 14.2.35Next.js 14.x✔️—14.2.35Next.js 15.0.x✔️✔️15.0.7Next.js 15.1.x✔️✔️15.1.11Next.js 15.2.x✔️✔️15.2.8Next.js 15.3.x✔️✔️15.3.8Next.js 15.4.x✔️✔️15.4.10Next.js 15.5.x✔️✔️15.5.9Next.js 15.x canary✔️✔️15.6.0-canary.60Next.js 16.0.x✔️✔️16.0.10Next.js 16.0.x canary✔️✔️16.1.0-canary.19

Next.js Pages Router applications are not affected.

If you're currently using canary releases to enable PPR, you can update to 15.6.0-canary.60, which includes a fix for the vulnerability while continuing to support PPR. For other ways to patch older versions, see this discussion post.

Update your package.json:

package.json

{

"dependencies": {

"next": "15.3.7"

}

}

3 . Install dependencies and update lockfile

Always commit lockfile changes with together with package.json changes.

Run your package manager's install command:

terminal

# npm

npm install

# yarn

yarn install

# pnpm

pnpm install

# bun

bun install

4. Deploy immediately

Once tested, deploy your updated application as soon as possible. See the deployment guide for instructions.

Deployment guide

If you're deploying to Vercel, the platform already blocks new deployments of vulnerable versions and has WAF rules in place, but upgrading remains critical.

If you deploy via Git, pushing your changes will trigger a preview build with the patched version, and merging will promote that build to production.

You can also create a Manual Deployment from the Vercel Dashboard to publish the fix immediately.

If you are using the Vercel CLI, deploy with this command:

terminal

vercel --prod

Rotating environment variables

Rotating environment variables is only recommended if secrets were already stored as plain text in your own codebase.

Learn how to rotate the environment variables for your Vercel team and projects.