You can now add one or more cache tags to your Function response by importing the addCacheTag function from @vercel/functions npm package.

import { addCacheTag } from '@vercel/functions'

Once the cached response has a tag associated with it, you can later invalidate the cache in one of several ways:

• Dashboard Settings

• Vercel CLI

• Function API

• REST API

In addition to invalidating by tag, you can also dangerously delete by tag if the origin is gone. However, deleting the cache can increase latency while new content is generated or cause downtime if your origin is unresponsive, so use with caution.

Available on all plans and all frameworks.

Learn more about cache invalidation.

Push notifications are now available on both desktop and mobile, with support for all notification types.

To start receiving push notifications from Vercel:

• Go to Notification Settings in the Vercel dashboard

• Enable the push notification channel for any notification type

To allow mobile notifications on your phone:

• Open the Vercel Dashboard in your mobile browser

• Opt in to push notifications when prompted

Try it out or learn more about notifications.

For any request displayed on runtime logs in the Vercel dashboard, you can now view the referer (if any) for that request in the right hand details panel.

This allows you to understand the source of that request and more easily debug issues.

Try it out or learn more about Runtime Logs.

See the Security Bulletin for the latest updates.

Link to headingSummary

Two additional vulnerabilities in React Server Components have been identified: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183). These issues were discovered while security researchers examined the patches for the original React2Shell vulnerability. The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779.

Importantly, none of these new issues allow for Remote Code Execution.

We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required.

Link to headingImpact

Link to headingDenial of Service (CVE-2025-55184)

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU.

Link to headingSource Code Exposure (CVE-2025-55183)

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Action's code.

These vulnerabilities are present in versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 of the following packages:

• react-server-dom-parcel

• react-server-dom-webpack

• react-server-dom-turbopack

These packages are included in the following frameworks and bundlers:

• Next.js: 13.x, 14.x, 15.x, and 16.x.

• Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)

Link to headingResolution

After creating mitigations to address these vulnerabilities, we deployed them across our globally-distributed platform to protect our customers. We still recommend upgrading to the latest patched version.

Updated releases of React and affected downstream frameworks include fixes to prevent these issues. All users should upgrade to a patched version as soon as possible.

Link to headingFixed in

• React: 19.0.2, 19.1.3, 19.2.2.

• Next.js: 14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 15.6.0-canary.60, 16.0.10, 16.1.0-canary.19.

Frameworks and bundlers using the aforementioned packages should install the latest versions provided by their respective maintainers.

Link to headingCredit

Thanks to RyotaK from GMO Flatt Security Inc. and Andrew MacPherson for identifying and responsibly reporting these vulnerabilities, and the Meta Security and React teams for their partnership.

Link to headingReferences

• Next.js Security Update: December 11, 2025

• React Blog: Denial of Service and Source Code Exposure in React Server Components

• React security advisory (CVE-2025-55183)

• React security advisory (CVE-2025-55184)

You can now access OpenAI's latest GPT-5.2 models with Vercel's AI Gateway and no other provider accounts required.

These models perform better than the GPT-5.1 model series, with noted improvements in professional knowledge work, coding, and long-context reasoning. Other highlights include fewer hallucinations, more accurate vision to interpret graphs and visualizations, strong complex front-end work capabilities, and better information retention working with long documents.

There are 3 models available on AI Gateway:

• GPT-5.2 Chat (openai/gpt-5.2-chat) is the model used in ChatGPT, best suited for everyday work and learning.

• GPT-5.2 (openai/gpt-5.2) is for deeper work and complex tasks involving coding or long documents.

• GPT-5.2 Pro (openai/gpt-5.2-pro) is best suited for the most difficult questions and tasks with large amounts of reasoning.

To use the GPT-5.2 models with the AI SDK, set the model to the respective model slug (noted above):

1
import { streamText } from 'ai';
2

3
const result = streamText({
4
  model: 'openai/gpt-5.2-pro',
5
  prompt:
6
    `Create a single-page aurora sky visualizer app in a single HTML file. 
7
     It should display a realistic animated aurora borealis night sky.
8
     Change solar activity level, color palette (green/purple/mixed),
9
     and sky clarity (haze, clear, light clouds).
10
     The UI should feel tranquil, immersive, and visually realistic,
11
     with smooth transitions and subtle ambient motion.`
12
  providerOptions: {
13
    openai: {
14
      reasoningSummary: 'detailed',
15
      reasoningEffort: 'high',
16
    },
17
  },
18
});

AI Gateway provides a unified API for calling models, tracking usage and cost, and configuring retries, failover, and performance optimizations for higher-than-provider uptime. It includes built-in observability, Bring Your Own Key support, and intelligent provider routing with automatic retries.

Learn more about AI Gateway, view the AI Gateway model leaderboard or try it in our model playground.

Vercel Sandbox now supports Node.js version 24.

To run a Sandbox with Node.js 24, upgrade @vercel/sandbox to version 1.1.0 or above and set the runtime property to node24:

1
import { Sandbox } from "@vercel/sandbox";
2

3
async function main() {
4
  const sandbox = await Sandbox.create({
5
    runtime: "node24",
6
  });
7

8
  const version = await sandbox.runCommand("node", ["-v"]);
9
  console.log(`Node.js version: ${await version.stdout()}`);
10
}
11

12
main().catch(console.error);

Read our Sandbox documentation to learn more.

Vercel now supports lifespan events for FastAPI apps. This allows you to define logic that can execute on startup and graceful shutdown—such as managing database connections or flushing external logs.

1
from contextlib import asynccontextmanager
2
from fastapi import FastAPI
3

4
@asynccontextmanager
5
async def lifespan(app: FastAPI):
6
    # Startup logic
7
    print("Starting up...")
8
    await startup_tasks()
9
    yield
10
    # Shutdown logic
11
    await cleanup_tasks()
12

13
app = FastAPI(lifespan=lifespan)

Deploy FastAPI on Vercel or visit the FastAPI on Vercel documentation.

Vercel now provides a unified dashboard that surfaces any security issues requiring action from your team. When a critical vulnerability or security-related task is detected, the dashboard automatically groups your affected projects and guides you through the steps needed to secure them.

This view appears as a banner whenever action is required, and can be accessed anytime through the dashboard search.

Most CVEs are handled automatically through WAF rules and other protections, but when user action is needed, they will appear here.

• Automatic detection of security vulnerabilities that require user intervention - When the platform identifies a vulnerability or configuration that cannot be fully mitigated by Vercel’s autonomous protections, it’s surfaced here with clear instructions.

• Project grouping based on required actions - Current categories include unpatched dependencies, manual fix required, unprotected preview deployments. Additional groups will appear over time as new protections and checks are added.

• Support for both automated remediation - When possible, Vercel Agent offers one-click automated upgrades and PRs.

• Support for manual remediation - For cases requiring manual updates or where GitHub access isn’t available, we provide direct instructions such as: npx fix-react2shell-next

Link to headingStay secure with less effort

The unified dashboard helps teams act quickly during critical moments, consolidate required fixes in one place, and maintain a stronger security posture across all projects.

Explore the dashboard to view any required updates.