See the for the latest updates.Security Bulletin Summary Impact Resolution Fixed in Credit References Two additional vulnerabilities in React Server Components have been identified: a high-severity Denial of Service () and a medium-severity Source Code Exposure (). These issues were discovered while security researchers examined the patches for the original React2Shell vulnerability. The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in . CVE-2025-55184CVE-2025-55183CVE-2025-67779 Importantly, none of these new issues allow for Remote Code Execution.

We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required. A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Actions. This could reveal…