Vercel

Vercel Issues Security Advisory for Critical Next.js Vulnerability (CVE-2025-55182)


Executive Summary

Vercel has issued a security advisory for CVE-2025-55182, a critical vulnerability affecting Next.js applications (versions 15.0.0 to 16.0.6) and other frameworks using React Server Components. With public proof-of-concept exploits being actively used by threat actors, Vercel urges all users to upgrade to a patched software version immediately as the only complete solution. While Vercel's Web Application Firewall (WAF) is providing an initial layer of defense by blocking known attack patterns, patching is the definitive fix.

Key Takeaways

* Vulnerability: CVE-2025-55182 affects a wide range of Next.js versions and any framework implementing React Server Components.

* Required Action: The only complete mitigation is to upgrade to a patched version of Next.js. A detailed table of vulnerable versions and their corresponding patched releases is provided in the announcement.

* Active Exploitation: Publicly available proof-of-concept exploits exist, and threat actors are actively scanning for and attempting to exploit vulnerable applications.

* Vercel's Defense: Vercel has deployed WAF rules to filter and block known exploit patterns for all customers at no cost. However, the company stresses this is a defense layer and not a substitute for upgrading.

* Vulnerability Detection: Users can check their Next.js version in their `package.json` file or browser console. Vercel has also enabled a banner on its platform to notify customers if a production deployment contains a vulnerable version.

Strategic Importance

This announcement underscores the critical importance of rapid patching in the web development ecosystem. Vercel's proactive communication and deployment of WAF rules aim to protect its customers and the broader community, reinforcing its position as a security-conscious platform provider.

Original article