See the for the latest updates. React2Shell security bulletin Summary Impact Resolution Credit References A critical-severity vulnerability in React Server Components () affects React 19 and frameworks that use it, including Next.js (). Under certain conditions, specially crafted requests could lead to unintended remote code execution. CVE-2025-55182CVE-2025-66478 We also worked with the React team to deliver recommendations to the largest WAF and CDN providers. We created new rules to address this vulnerability and quickly deployed to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost.

However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required. We still strongly recommend upgrading to a patched version regardless of your hosting provider. Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following packages: : These packages are included in the following frameworks and bundlers: After creating…