A critical-severity vulnerability in React Server Components affects React 19 and Next.js. Immediate upgrades are required.
Vercel Security
Security Team
A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478). Under certain conditions, specially crafted requests could lead to unintended remote code execution.
We created new rules to address this vulnerability and quickly deployed to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required. We also worked with the React team to deliver recommendations to the largest WAF and CDN providers.
Important
We still strongly recommend upgrading to a patched version regardless of your hosting provider.
Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following packages:
react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, and 19.2.0)react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)These packages are included in the following frameworks and bundlers:
After creating mitigations to address this vulnerability, we deployed them across our globally-distributed platform to quickly protect our customers. We still recommend upgrading to the latest patched version.
Updated releases of React and affected downstream frameworks include hardened handling of user inputs to prevent unintended behavior. All users should upgrade to a patched version as soon as possible. If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release.
Frameworks and bundlers using the aforementioned packages should install the latest versions provided by their respective maintainers.
Thanks to Lachlan Davidson for identifying and responsibly reporting the vulnerability, and the Meta Security and React team for their partnership.
When that log was written, the patched versions didn’t exist on npm. Now:
These are explicitly listed as the fixed versions for the React2Shell / RSC RCE advisory. So you can (and should) upgrade now.
Assuming you’re already on Next 16.0.x and React 19.x (like your snippet):
# 1) Upgrade framework + UI libs
npm install next@16.0.7 react@19.2.1 react-dom@19.2.1 --save
# 2) (Recommended) Make sure RSC package is patched too
npm install react-server-dom-webpack@latest --save-devyarn add next@16.0.7 react@19.2.1 react-dom@19.2.1
yarn add -D react-server-dom-webpack@latestpnpm add next@16.0.7 react@19.2.1 react-dom@19.2.1
pnpm add -D react-server-dom-webpack@latestThen:
# Rebuild and run tests
npm run lint
npm run test
npm run buildRedeploy after a successful build — Vercel should stop blocking once it sees a patched next version.
Vercel shipped an npm helper that automatically updates affected Next.js apps:
npx fix-react2shell-next@latestThis scans your repo and bumps next (and related packages) to safe versions across workspaces/monorepos. You can still pin versions afterward in package.json if you want full control.
From your project root:
# Check what’s actually installed
npm list next react react-dom react-server-dom-webpack
# Confirm these match the patched versions
npm view next@16.0.7 version
npm view react@19.2.1 version
npm view react-dom@19.2.1 versionYou should now see:
next@16.0.7react@19.2.1react-dom@19.2.1If Vercel was blocking deploys before, re-running the deployment after this upgrade should succeed.
If you’re pinned to another 15.x line, the safe patch versions are:
TL;DR
Just bump Next to 16.0.7 and React/React-DOM to 19.2.1, rebuild, and redeploy. The patches are live now.
Share this article
See how AI CRM can help you close more deals and build better relationships