Vercel is looking for valid reports which demonstrate a successful bypass of Vercel WAF rules, allowing for exploitation of React2Shell (CVE-2025-55182, 2025-66478).

Disclosure Policy

We are making this public program available for responsible disclosure of critical WAF workarounds on the Vercel platform. Please do not discuss these vulnerabilities (even resolved ones) outside of the program without express consent from Vercel. Follow HackerOne's disclosure guidelines.

Scope and Rewards

Successful exploitations of React2Shell (CVE-2025-55182, 2025-66478) to bypass Vercel's WAF only. An application has been setup for this purpose - only conduct testing here: https://nextjs-cve-hackerone.vercel.app/

Please Note: This program will only issue rewards for valid critical vulnerabilities that fall within the scope of the specified CVE. Any submissions that do not relate to this CVE, or that do not meet the criteria for a critical vulnerability, will be redirected to our other program. Those submissions will be evaluated according to our standard program policies and guidelines.

Program Rules

• Provide detailed reports with reproducible steps. Reports not detailed enough to reproduce the issue will not be eligible for a reward.
• A testing environment is provided containing a secret behind Vercel's current WAF rules in the environment variable VERCEL_PLATFORM_PROTECTION. Only reports that successfully retrieve this secret will be accepted.
• Do NOT submit vulnerabilities that do not demonstrate a successful bypass of Vercel's WAF rules and allow for successful execution of CVE-2025-55182.
• If you find a valid vulnerability unrelated to this scope, submit it to [email protected] instead.
• Submit one vulnerability per report, unless chaining is required to demonstrate impact.
• When duplicates occur, only the first valid, reproducible report is awarded.
• Multiple vulnerabilities caused by a single root cause will receive one bounty.
• Social engineering (phishing, vishing, smishing) is prohibited.
• Make a good-faith effort to avoid privacy violations, data destruction, or degradation of service.
• Ask the program team before submitting vulnerabilities on unscoped subdomains.
• Only interact with accounts you own, accounts with explicit permission, or the test account provided by Vercel.

---

Test Plan

Demonstrate a successful attack by providing the secret within the environment variable VERCEL_PLATFORM_PROTECTION behind the testing application: https://nextjs-cve-hackerone.vercel.app/. There will be a required field for this when you submit a report.

---

Thank you for helping keep Vercel and our users safe!