Action Required: upgrade Next.js Immediately — CVE-2025-55182 (React2Shell)

We're following up on our earlier communication regarding CVE-2025-55182, the critical RCE vulnerability affecting React Server Components.

We want to be direct: if you have not yet upgraded, please do so immediately. That is the only way to be safe. Since our initial outreach, public exploits are available and threat activity has significantly increased. As of today, Vercel has blocked all new deployments of vulnerable Next.js versions.

Your next step: upgrade to a patched version of Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7). See blog post for full details and remediation guidance. We will continue to update this blog as needed.

Resources for protecting against 'React2Shell'

If you have questions or need support with your upgrade path, reply to this email or reach out to security@vercel.com.