Security Update: Additional Next.js + React Server Components Vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)

WordPress VIP continues to monitor and respond to the evolving security issues affecting React Server Components and frameworks that rely on them, including Next.js. Since our earlier advisory, several additional high-severity vulnerabilities have been published.

What’s new

Newly disclosed issues affecting React Server Components include:

  • CVE-2025-55183possible source code exposure
  • CVE-2025-55184denial-of-service conditions
  • CVE-2025-67779an update expanding the denial-of-service vulnerability class associated with CVE-2025-55184

These issues follow the earlier React2Shell (CVE-2025-55182) remote code execution vulnerability (CVSS 10.0), which continues to see active scanning and exploitation attempts globally.

Official advisories:

Customer impact

Applications using React Server Components or affected versions of Next.js may be exposed to denial-of-service behavior, unintended disclosure of source code, or other runtime issues depending on application structure and use of RSC features.

Actions taken by WordPress VIP

We have implemented protective mitigations across the platform intended to reduce exposure to known exploit patterns associated with these newly disclosed vulnerabilities. We continue to monitor for emerging techniques and will adjust mitigations as new information becomes available.

We have also contacted customers running configurations that may be affected.

Required customer action

It is imperative that all customers using React Server Components or vulnerable versions of Next.js upgrade to the latest patched releases as soon as possible. Upstream updates contain important security fixes that provide the most complete protection against these issues and future related variants.

If you are unsure whether your application is affected or need guidance on updating, please contact VIP Support.

Ongoing commitment

WordPress VIP will continue working closely with upstream maintainers and monitoring ongoing research to ensure our customers remain protected. Additional updates will be posted when new information becomes available.

Security Advisory: React and Next.js Vulnerabilities (CVE-2025-66478 / CVE-2025-55182)

WordPress VIP is aware of recently disclosed critical vulnerabilities affecting React Server Components and frameworks built on top of them, including Next.js.

Summary

On December 3, 2025, the React and Next.js teams disclosed critical vulnerabilities:

These vulnerabilities could allow unauthorized access to server-side data in certain configurations of applications using React Server Components or affected Next.js versions.

Impact on WordPress VIP customers

A limited number of VIP customers run applications built on Next.js that are impacted by these disclosures.

WordPress VIP has:

  1. Reached out directly to all customers running affected versions of Next.js.
  2. Implemented protective mitigations to shield all VIP environments from known exploit patterns.

We will continue to monitor for emerging attack signatures and adjust our mitigation strategy as new information becomes available.

Recommended actions for customers

  • If you operate a custom application using Next.js or React Server Components, please ensure you update immediately to a patched version as recommended by the upstream maintainers, and follow the guidelines our team shared directly with your organization.
  • Review official vendor guidance and changelogs:
  • If you are unsure whether your application is affected, please contact VIP Support.

Our commitment

Security is core to the WordPress VIP platform. We are actively collaborating with upstream maintainers and continuously refining mitigations to ensure all customer workloads remain protected. Updates will be provided if further information becomes available.

Now Available: WordPress 6.9

WordPress 6.9, “Gene”, has been released. In keeping with the WordPress version numbering convention, 6.9 is a major release.

WordPress 6.9 brings many enhancements, including:

  • Notes: Seamless, Block-Level Collaboration: With notes attached directly to blocks in the post editor, your team can stay aligned, track changes, and turn feedback into action all in one place. Whether you’re working on copy or refining design in your posts or pages, collaboration happens seamlessly on the canvas itself.
  • Command Palette Throughout the Dashboard: Access the Command Palette from any part of the dashboard, whether you’re writing your latest post, deep in design in the Site Editor, or browsing your plugins. Everything you need, just a few keystrokes away.
  • Fit text to container: There’s a new typography option for text-based blocks that’s been added to the Paragraph and Heading blocks. This new option automatically adjusts font size to fill its container perfectly, making it ideal for banners, callouts, and standout moments in your design.
  • The Abilities API: WordPress 6.9 lays the groundwork for the future of automation with the unified Abilities API. By creating a standardized registry for site functionality, developers can now register, validate, and execute actions consistently across any context—from PHP and REST endpoints to AI agents—paving the way for smarter, more connected WordPress experiences.
  • Accessibility Improvements: More than 30 accessibility fixes sharpen the core WordPress experience. These updates improve screen reader announcements, hide unnecessary CSS-generated content from assistive tech, fix cursor placement issues, and make sure typing focus stays put even when users click an autocomplete suggestion.
  • Performance enhancements: WordPress 6.9 delivers significant frontend performance enhancements, optimizing the site loading experience for visitors. 6.9 boasts an improved LCP (Largest Contentful Paint) through on-demand block styles for classic themes, minifying block theme styles, and increasing the limit for inline styles – removing blockages to page rendering and clearing the rendering path by deprioritizing non-critical scripts. This release comes with many more performance boosts, including optimized database queries, refined caching, and a new template enhancement output buffer that opens the door for more future optimizations.

Learn more about the highlights of WordPress 6.9.

For more details about this release (including specific changes), please see the announcement post and Field Guide.

Questions

If you have any questions about this release, please open a support ticket, and we will gladly assist.

Call for Testing: WordPress 6.9 RC1

The WordPress 6.9 Release Candidate 1 is now available on WordPress VIP. Use the Software Management page to update your non-production sites to WordPress 6.9 for testing.

WordPress 6.9 Release Candidate 1

What’s Changing?

Site Editor improvements and Refined content creation

  • Ability to hide blocks
  • New blocks
  • Notes on blocks
  • Universal command palette in wp-admin

Developer updates

  • Updates to dataviews and dataforms components
  • New abilities API
  • Updates to interactivity API
  • Updates to block binding API

Performance Improvements

  • Improved script and style handling
  • Optimized queries and caching
  • Added ability to handle “fetchpriority” in ES Modules and Import Maps
  • Standardizing output buffering

Testing this release candidate is the next step in preparing your site for the WordPress 6.9 release slated for December 2nd 2025.

How to test WordPress 6.9

Local Environment

Ensure VIP-CLI is updated:
npm update -g @automattic/vip

Update environment:
vip dev-env update --slug SITENAME

Non-production

Alternatively, you may update a non-production site to WordPress 6.9 RC1 now.

Within the Software Management section of the VIP Dashboard, you can select your non-production environment and change the WordPress version to “6.9″ within the “Testing” section.

Testing is vital to polishing the release during the Release Candidate and is a great way to contribute. ✨

Not for Production Environments

WordPress VIP does not recommend using Release Candidate or Beta versions in production environments. Any sites that have managed updates will automatically be updated to WordPress 6.9 when it is released on December 2nd 2025.

Questions?

If you have testing feedback or questions related to this release, please open a support ticket, and we will be happy to assist.

Transition from Redis to Valkey

On December 3rd, all Node.js production environments, with the optional Redis add-on enabled, will switch to Valkey as their in-memory data store. Valkey offers improved throughput performance, memory efficiency, and scalability.

Non-production environments have already transitioned from Redis to Valkey, and the change should not require action from WordPress VIP customers.

What can I expect?

Node.js applications switched to Valkey will benefit from improved performance and efficiency with no disruption to service. The transition has been tested across all applicable non-production Node.js environments on the WordPress VIP platform, ensuring a smooth update for production applications.

Questions?

If you have any questions, please open a support ticket and we’ll be glad to assist.

Now Shipping Logs and Backups to Azure and Google Cloud

We’re excited to share that WordPress VIP now supports Google Cloud Platform (GCP) and Microsoft Azure for log and backup shipping expanding beyond our previous AWS S3-only configuration.

Whether your infrastructure runs on AWS, GCP, or Azure, you can now store logs and backups where it fits best for your organization. This update helps your team align WordPress VIP’s data flows with your existing cloud strategy and compliance needs all while maintaining the same reliability and automation you expect.

Why It Matters

Many enterprise teams operate across multiple cloud providers or have compliance rules that require storage in specific regions or platforms. Until now, off-site storage required AWS S3. With support for GCP and Azure, your team gains greater flexibility, avoids single-provider dependencies, and can better integrate VIP into your broader cloud ecosystem.

What’s Included

  • Google Cloud Platform (GCP) Support: Configure GCP buckets for both log and backup shipping.
  • Microsoft Azure Support: Use Azure Blob Storage as a destination for your shipped data.
  • Unified Configuration: Manage all destinations directly within the Log Shipping and Backup Shipping settings in your VIP Dashboard.
  • Provider-Agnostic Workflows: Retain the same performance, structure, and data integrity; no matter your storage platform.

Get Started

To start shipping logs and backups to GCP or Azure, visit your the Log or Backup Shipping Section of your VIP Dashboard and update your storage configuration.
Full setup instructions are available in the Cloud Storage Shipping documentation.