See the React2Shell security bulletin for the latest updates. Link to heading Summary A critical-severity vulnerability in React Server Components ( CVE-2025-55182 ) affects React 19 and frameworks that use it, including Next.js ( CVE-2025-66478 ). Under certain conditions, specially crafted requests could lead to unintended remote code execution. We created new rules to address this vulnerability and quickly deployed to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required. We also worked with the React team to deliver recommendations to the largest WAF and CDN providers. We still strongly recommend upgrading to a patched version regardless of your hosting provider. Link to heading Impact Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution.…