惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
博客园 - 聂微东
小众软件
小众软件
P
Proofpoint News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
TaoSecurity Blog
TaoSecurity Blog
博客园 - 司徒正美
罗磊的独立博客
N
News and Events Feed by Topic
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
S
Security @ Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The GitHub Blog
The GitHub Blog
月光博客
月光博客
S
Secure Thoughts
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
W
WeLiveSecurity
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
L
LangChain Blog
T
The Blog of Author Tim Ferriss
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
Cloudbric
Cloudbric
H
Hacker News: Front Page
The Last Watchdog
The Last Watchdog
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Schneier on Security
Project Zero
Project Zero
SecWiki News
SecWiki News
爱范儿
爱范儿
The Register - Security
The Register - Security
AI
AI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Y
Y Combinator Blog
L
Lohrmann on Cybersecurity
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Privacy International News Feed
J
Java Code Geeks
S
Securelist
C
Cyber Attacks, Cyber Crime and Cyber Security
V
Visual Studio Blog

Vercel News

Vercel Open Source Program: Winter 2026 cohort How Notion Workers run untrusted code at scale with Vercel Sandbox How we run Vercel's CDN in front of Discourse From idea to secure checkout in minutes with Stripe Building Slack agents can be easy Scaling redirects to infinity on Vercel Advancing Python typing Gamma builds design-first agents with Vercel How Avalara turns pipe dreams into patent-pending with v0 Keeping community human while scaling with agents How OpenEvidence built a healthcare AI that physicians actually trust Security boundaries in agentic architectures Skills Night: 69,000+ ways agents are getting smarter Video Generation with AI Gateway We Ralph Wiggumed WebStreams to make them 10x faster How Stably ships AI testing agents in hours, not weeks How we built AEO tracking for coding agents Anyone can build agents, but it takes a platform to run them Introducing Geist Pixel The Vercel AI Accelerator is back with $6m in credits Making agent-friendly pages with content negotiation The Vercel OSS Bug Bounty program is now available Introducing the new v0 Run untrusted code with Vercel Sandbox, now generally available How Stripe built a game-changing app in a single flight with v0 How Sensay went from zero to product in six weeks AGENTS.md outperforms skills in our agent evals Agent skills explained: An FAQ Testing if "bash is all you need" AWS databases are now live on the Vercel Marketplace and v0 Use Perplexity Web Search with Vercel AI Gateway Introducing: React Best Practices Nick Bogaty joins Vercel as Chief Revenue Officer How Mux shipped durable video workflows with their @mux/ai SDK How to build agents with filesystems and bash How we made v0 an effective coding agent Stopping the slow death of internal tools Building AI-Generated Pixel Trading Cards with Vercel AI Gateway We removed 80% of our agent’s tools AI SDK 6 Our $1 million hacker challenge for React2Shell Cline now runs on Vercel AI Gateway How to prompt v0 Build smarter workflows with Notion and v0 Vercel launches partner certification Inside Workflow DevKit: How framework integrations work Billions of requests: Black Friday-Cyber Monday 2025 Investing in the Python ecosystem AWS Databases coming to the Vercel Marketplace How we built the v0 iOS app Workflow Builder: Build your own workflow automation platform Vercel Open Source Program: Fall 2025 cohort Self-driving infrastructure Vercel collaborates with Google for Gemini 3 Pro Preview launch Vercel: The anti-vendor-lock-in cloud How Nous Research used BotID to block automated abuse at scale How AI Gateway runs on Fluid compute What we learned building agents at Vercel Build and deploy data applications on Snowflake with v0 BotID Deep Analysis catches a sophisticated bot network in real-time Vercel achieves TISAX AL2 compliance to serve automotive partners Bun runtime on Vercel Functions David Totten Joins Vercel to Lead Global Field Engineering Vercel Ship AI 2025 recap You can just ship agents AI agents and services on the Vercel Marketplace Built-in durability: Introducing Workflow Development Kit Zero-config backends on Vercel AI Cloud Introducing Vercel Agent: Your new Vercel teammate Update regarding Vercel service disruption on October 20, 2025 Agents at work, a partnership with Salesforce and Slack Running Next.js in ChatGPT: How to Build ChatGPT Apps Talha Tariq joins Vercel as CTO of Security Just another (Black) Friday Server rendering benchmarks: Fluid Compute and Cloudflare Workers Towards the AI Cloud: Our Series F Collaborating with Anthropic on Claude Sonnet 4.5 to power intelligent coding agents Preventing the stampede: Request collapsing in the Vercel CDN BotID uncovers hidden SEO poisoning How we made global routing faster with Bloom filters What you need to know about vibe coding Scale to one: How Fluid solves cold starts Addressing security & quality issues with MCP tools - Vercel AI agents at scale: Rox’s Vercel-powered revenue operating system Helly Hansen migrated to Vercel and drove 80% Black Friday growth Agentic Infrastructure Zero Data Retention on AI Gateway Optimizing Vercel Sandbox snapshots How Waldium made a blog platform work for humans and AI alike How FLORA shipped a creative agent on Vercel's AI stack Agent responsibly Making Turborepo 96% faster with agents, sandboxes, and humans Unified reporting for all AI Gateway usage new.website joins forces with v0 SERHANT.'s playbook for rapid AI iteration Two startups at global scale without DevOps Chat SDK brings agents to your users 360 billion tokens, 3 million customers, 6 engineers Meet the 2026 Vercel AI Accelerator Cohort Build knowledge agents without embeddings
React2Shell Security Bulletin | Vercel Knowledge Base
Security Team · 2025-12-05 · via Vercel News

December 11, 2025 update: Following the React2Shell disclosure, increased community research into React Server Components surfaced two additional vulnerabilities that require patching: CVE-2025-55184 (DoS) and CVE-2025-55183 (source code disclosure). See the new Security Bulletin for details.

On December 4, 2025, publicly available exploits emerged for React2Shell, a critical vulnerability in React Server Components affecting React 19 (CVE-2025-55182) and frameworks that use it like Next.js (CVE-2025-66478). The situation continues to be dynamic. We recommend checking this page and the Vercel Developers X Account frequently for the latest updates, and will continue to include them in the Vercel Dashboard as well.

The vulnerability affects Next.js versions 15.0.0 through 16.0.6. If you're running an affected version, upgrade immediately, regardless of other protections in place. Jump to the How to upgrade and protect your Next.js app guide to learn how to patch and protect your application.

DateUpdate
December 08, 8:31 PM PSTVercel Agent can perform automated code reviews and open pull requests to upgrade vulnerable projects. See the automated upgrade section for details.
December 08, 6:09 PM PSTWe strongly recommend turning on Standard Protection for all of your deployments (besides your production domain) and auditing shareable links from all deployments. See the deployment protection section of the bulletin for instructions.
December 06, 9:05 PM PSTIf your application was online and unpatched as of December 4th, 2025 at 1:00 PM PT, we strongly encourage you to rotate any secrets it uses, starting with your most critical ones. Information on patching secrets can be found in our docs.
December 05, 10:29 PM PSTVercel has released an npm package to update your affected Next.js app. Use npx fix-react2shell-next or visit the GitHub page to learn more
December 05, 3:44 PM PSTVercel has partnered with HackerOne for responsible disclosure of critical Vercel Platform Protection workarounds. Valid reports that demonstrate a successful bypass of Vercel protections will be rewarded for this CVE only. Bounties are $25,000 for high and $50,000 for critical. Visit the HackerOne page to participate.
  • When to upgrade your application
  • Understand what React2Shell is and if it affects you
  • How to upgrade and protect your Next.js app
    • Vercel security actions dashboard
    • Vercel deployment protection
    • Version upgrade methods
    • Rotating environment variables
  • How to upgrade other frameworks
  • Frequently asked questions

You should upgrade if:

  • You're using Next.js 15.0.0 through 16.0.6: All Next.js applications running versions between 15.0.0 and 16.0.6 are affected by this vulnerability.
  • You're using Next.js 14 canary versions: If you're using Next.js 14 canaries after 14.3.0-canary.76, you are also vulnerable and need to downgrade or upgrade.
  • You're using React Server Components in any framework: This vulnerability affects React Server Components broadly. If you use RSC through Next.js or another framework, you need to update.

For Next.js, upgrading to a patched version is strongly recommended and the only complete fix. All users of React Server Components, whether through Next.js or any other framework, should update immediately. Learn how to upgrade for Next.js and other frameworks.

React2Shell is a critical vulnerability in React Server Components that affects React 19 and frameworks that use it. Under certain conditions, specially crafted requests could lead to unintended remote code execution.

The most reliable way to determine if you're vulnerable is to check your deployed version of React and Next.js. You need to verify the versions of:

  • next
  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

If you're using Vercel, you will see a banner in the vercel.com dashboard when your production deployment is using a vulnerable version of these packages.​ This banner is an additional indication to review your deployment.

Everyone should also check their versions directly. This can be done automatically by using npx fix-react2shell-next (see instructions in this section of the bulletin).

Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns:

  • Prior to the CVE announcement, Vercel worked with the React Team to design WAF rules to block exploitation and globally delivered protection to all Vercel users.
  • Ongoing monitoring for new exploit variants with iterative WAF rule updates (as of December 5, 2025, additional rules were deployed to cover newly identified attack patterns)

WAF rules cannot guarantee protection against all possible variants of an attack.

In this section:

  • Vercel security actions dashboard
  • Vercel deployment protection
  • Version upgrade methods
    • Automated upgrade with Vercel Agent
    • Upgrade with the command line utility
    • Manual upgrade
  • Rotating environment variables

Vercel provides a unified dashboard that surfaces any security issues requiring action from your team, including remediation steps. View your security actions dashboard.

Even if your production app has been patched, older versions could still be vulnerable. We strongly recommend turning on Standard Protection for all deployments besides your production domain.

You can see a list of projects without deployment protection in your security actions dashboard or by reviewing your deployment protection settings.

Make sure that preview deployments and deployments from other environments are not used by external users without protection bypass first (see the documentation for details).

You should also audit shareable links from your deployments. If you have disabled deployment protection to share domains that point to preview or custom environment deployments, you should implement deployment protection exceptions and make sure that all deployments added to the exception list have been patched.

Vercel Agent can automatically detect vulnerable projects and open PRs that upgrade your code to patched versions.

View vulnerable projects and initiate upgrades in the Vercel dashboard.

You can quickly update your Next.js project to the right version by using the fix-react2shell-next npm package by running the following command in the root of your application:

Once tested, deploy your updated application as soon as possible. See the deployment guide for instructions.

1. Identify your current version

Load a page from your app and run next.version in the browser console to see the current version or check your package.json to find your current Next.js version:

2. Update to the patched version

Based on the following list, identify which patched release you need to upgrade to:

Vulnerable versionPatched release
Next.js 15.0.x15.0.5
Next.js 15.1.x15.1.9
Next.js 15.2.x15.2.6
Next.js 15.3.x15.3.6
Next.js 15.4.x15.4.8
Next.js 15.5.x15.5.7
Next.js 16.0.x16.0.10
Next.js 14 canaries after 14.3.0-canary.76Downgrade to 14.3.0-canary.76 (not vulnerable)
Next.js 15 canaries before 15.6.0-canary.5815.6.0-canary.58
Next.js 16 canaries before 16.1.0-canary.1216.1.0-canary.12 and after

These patched versions include the hardened React Server Components implementation.

If you're currently using canary releases to enable PPR, you can update to 15.6.0-canary.58, which includes a fix for the vulnerability while continuing to support PPR. For other ways to patch older versions, see this discussion post.

Update your package.json:

3 . Install dependencies and update lockfile

Always commit lockfile changes with together with package.json changes.

Run your package manager's install command:

4. Deploy immediately

Once tested, deploy your updated application as soon as possible. See the deployment guide for instructions.

Once tested, deploy your updated application as soon as possible.

If you're deploying to Vercel, the platform already blocks new deployments of vulnerable versions and has WAF rules in place, but upgrading remains critical.

If you deploy via Git, pushing your changes will trigger a preview build with the patched version, and merging will promote that build to production. You can also create a Manual Deployment from the Vercel Dashboard to publish the fix immediately.

If you are using the Vercel CLI, deploy with:

Assume your vulnerable systems are potentially compromised. Once you have patched your framework version and re-deployed your application, we recommend rotating all your application secrets. Learn how to rotate the environment variables for your Vercel team and projects.

If you use another framework that implements React Server Components, consult the React Security Advisory posted on the react.dev blog. If you are running a vulnerable version of the affected software, you should update to a patched version immediately.

We’ve released an npm package to scan for vulnerable packages and upgrade them. You can read the full details on the package page. Here’s an example run:

terminal-light.pngterminal-light.png

The most definitive way to understand your exposure is to check the version of React/Next that you have deployed against the CVE. See the Checking your vulnerability status above for information on how to check this.

We have enabled a banner on the vercel.com dashboard for our customers that informs you if the production deployment of a project contains a vulnerable version of next, react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack.

Please consider this an extra layer of defense and not a replacement for checking if you are running vulnerable versions directly.

You cannot definitely tell but we recommend reviewing your application logs and activity for unexpected behavior. This could include unusual POST requests or spikes in function timeouts. However, function timeouts do not reliably indicate compromise because attackers can craft payloads that complete successfully, and timeouts could simply indicate scanning or probing activity rather than successful exploitation.

Vercel deployed WAF mitigations prior to the CVE announcement. As new exploit variants have emerged, we have identified and patched bypasses to our WAF rules. WAF rules are one layer of defense but can never guarantee 100% coverage. Upgrading to a patched version remains the only way to fully secure your application.

Upgrading to a patched version is the only complete fix. Vercel WAF rules provide an additional layer of defense by filtering known exploit patterns, but WAF rules cannot guarantee protection against all possible variants of an attack.

You can ensure other deployments besides your production domain are protected by reviewing your deployment protection settings.

We are closely monitoring for new exploit variants and iterating on our WAF rules as new information emerges. As of this morning, December 5, we’ve deployed additional rules to cover newly identified attack patterns. Our team will continue to add further layers of protections and share updates as they become available.

If you are currently using canary-only features in Next.js you should still prioritize updating to a patched version. See the Required Action section of the Next.js Security Advisory for instructions on how to update to a patched Next.js version without having to disable canary-only features.

We caution against using publicly available exploits against your production environment. Instead, we recommend following the above procedures to ensure all public deployments are using the latest versions of React Server Components and Next.js.

If you have a complex deployment that requires additional verification, we recommend testing in a sandboxed environment with synthetic data to avoid unintended consequences on your production services and data.

Vercel is rolling out patches to existing v0 chats automatically over the next few days. However, you should patch affected v0 apps immediately rather than wait for the automatic update.

To patch a v0 app manually:

  1. Open the deploy dialogue for your affected v0 chat
  2. Click the "Fix with v0" button

Note that v0 apps that are not published are unaffected by React2Shell.