See the Security Bulletin for the latest updates. Link to heading Summary Two additional vulnerabilities in React Server Components have been identified: a high-severity Denial of Service ( CVE-2025-55184 ) and a medium-severity Source Code Exposure ( CVE-2025-55183 ). These issues were discovered while security researchers examined the patches for the original React2Shell vulnerability. The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779 . Importantly, none of these new issues allow for Remote Code Execution. We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required.…