React2Shell (CVE-2025-66478) is a critical vulnerability affecting React and Next.js websites supporting React Server Components. If your website supports React Server Components, even if they are not used, you must update your website.

Official advisory: https://nextjs.org/blog/CVE-2025-66478

Additionally, a Denial of Service vulnerability (CVE-2025-55184 and CVE-2025-67779) and Source Code Exposure vulnerability (CVE-2025-55183) affect React and Next.js websites.

Official advisory: https://nextjs.org/blog/security-update-2025-12-11

We are confident Prismic’s services are not impacted and remain secure. However, we strongly recommend checking your own React and Next.js websites.

The official repositories for Prismic’s Next.js starters and demos were patched on December 11, 2025. If you cloned or downloaded a Next.js Prismic starter or demo on or before December 11, 2025, it is critical that you update your dependencies following the official recommendation: https://nextjs.org/blog/security-update-2025-12-11

For any additional questions about React2Shell's or any other vulnerability's impact on Prismic, contact us through our Support Portal.

Next.js Prismic starters

• Minimal: https://github.com/prismicio-community/nextjs-starter-prismic-minimal
• Minimal (JavaScript): https://github.com/prismicio-community/nextjs-starter-prismic-minimal-js
• Landing Page: https://github.com/prismicio-community/nextjs-starter-prismic-landing-page
• Multi-page: https://github.com/prismicio-community/nextjs-starter-prismic-multi-page
• Blog: https://github.com/prismicio-community/nextjs-starter-prismic-blog
• Multi-language: https://github.com/prismicio-community/nextjs-starter-prismic-multi-language