Vercel security bulletin documenting React2Shell, a critical vulnerability in React Server Components (CVE-2025-55182) affecting React 19 and Next.js versions 15.0.0–16.0.6. Public exploits emerged December 4, 2025, with two additional vulnerabilities (CVE-2025-55184 DoS, CVE-2025-55183 source disclosure) discovered December 11. Vercel recommends immediate upgrades and provides automated patching via Vercel Agent.
Safety
React2Shell Security Bulletin
Critical React Server Components vulnerability (CVE-2025-55182) in React 19 and Next.js 15.0.0–16.0.6 has active public exploits, forcing millions of dependents to upgrade immediately or face RCE risk.
Friday, April 17, 2026 12:00 PM UTC2 MIN READSOURCE: Vercel BlogBY sys://pipeline
Tags
safety
/// RELATED
SafetyApr 17
Our $1 million hacker challenge for React2Shell
Vercel mobilized 116 researchers with a $1M challenge to patch Next.js React2Shell RCE defenses, crowdsourcing 20 WAF updates in 48 hours against 6M+ exploitation attempts.
WarApr 22
Feud between AI power startup Fermi and its fired CEO and top shareholder heats up over proposed sale
Fired Fermi cofounder with 40% stake battles board to force immediate sale of collapsed AI data center startup after market cap imploded from $20B to $3.2B.