Vercel

Vercel Agent now auto-detects and fixes security vulnerabilities like React2Shell.


Executive Summary

Vercel has launched a new security capability for its Vercel Agent that automatically detects vulnerable packages and generates pull requests with verified fixes. This feature addresses the critical "React2Shell" remote code execution vulnerability affecting React 19 and Next.js. The service, powered by Vercel's infrastructure, is available at no cost to help development teams stay secure with minimal manual effort.

Key Takeaways

* Product: Vercel Agent now includes an automatic vulnerability detection and auto-fix feature.

* Functionality: It scans for vulnerabilities, uses AI to generate upgrade paths, creates a pull request with the fix, and verifies the update in an isolated sandbox environment.

* Specific Threat: The announcement highlights the immediate utility for patching the critical React2Shell (CVE-2025-55182) vulnerability in React Server Components.

* Developer Workflow: A preview link is generated with the pull request, allowing teams to manually validate the automated fix before merging.

* Cost & Availability: The auto-fix upgrade feature is available now and at no cost.

Strategic Importance

This feature strengthens Vercel's platform by automating critical security maintenance, reducing developer overhead, and positioning Vercel as a more secure, "self-driving" infrastructure provider.

Original article