Critical RCE Vulnerability in React Server Components Triggers Automated Patching Response Across Next.js Deployments

Vercel has automatically generated a pull request addressing a critical remote code execution vulnerability in React Server Components, with potential impact on applications built using Next.js and other frameworks leveraging the React Flight protocol. The flaw resides in insecure deserialization handling within the protocol, enabling unauthenticated remote code execution on affected servers. The vulnerability was identified in the Vercel-hosted project "dinnerwithfriends," prompting an automated security response targeting the exposed codebase.

The issue is tracked across multiple security advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel's automated system generated the patch without manual intervention, flagging the pull request as part of broader patching efforts. The company cautions that the automated changes may not be comprehensive and advises maintainers to review additional guidance before merging the proposed fixes.

The vulnerability underscores persistent risks in server-side rendering architectures, particularly where client-controlled data flows into deserialization routines. Organizations running React Server Components in production should treat this as a high-priority patching operation. The automated nature of the response suggests the flaw may affect a broad population of deployments, though the full scope of exposure remains under assessment. Maintainers are urged to correlate the Vercel-generated PR with official advisories from React and Next.js before applying patches to production environments.