December 11, 2025 update: Following the React2Shell disclosure, increased community research into React Server Components surfaced two additional vulnerabilities that require patching: CVE-2025-55184 (DoS) and CVE-2025-55183 (source code disclosure). See the new Security Bulletin for details. On December 4, 2025, publicly available exploits emerged for React2Shell, a critical vulnerability in React Server Components affecting React 19 ( CVE-2025-55182) and frameworks that use it like Next.js ( CVE-2025-66478) . The situation continues to be dynamic. We recommend checking this page and the Vercel Developers X Account frequently for the latest updates, and will continue to include them in the Vercel Dashboard as well. The vulnerability affects Next.js versions 15.0.0 through 16.0.6. If you're running an affected version, upgrade immediately, regardless of other protections in place. Jump to the How to upgrade and protect your Next.js app guide to learn how to patch and protect your application.…