Critical RCE Vulnerability in React Server Components Triggers Automated Vercel Patch for Next.js Deployments

Vercel has automatically generated a pull request to patch a critical remote code execution vulnerability in React Server Components, a security flaw that affects frameworks including Next.js. The vulnerability enables unauthenticated RCE on the server through insecure deserialization within the React Flight protocol, posing a severe risk to unpatched deployments. The flaw was identified in the project ad_tools under the Vercel account kellybcs-projects, suggesting automated scanning detected the exposure across affected codebases.

The security issue is tracked under multiple advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel's automated response generated a pull request designed to assist developers with patching efforts. However, the platform explicitly cautions that the generated PR may not be comprehensive and could contain errors, urging maintainers to review guidance documentation before merging any changes into production environments.

Security researchers warn that the React Flight protocol deserialization flaw could allow attackers to execute arbitrary code remotely without authentication, potentially compromising entire server-side deployments. Organizations running Next.js or other React Server Component frameworks are advised to audit their dependencies, apply patches promptly, and verify the integrity of automated changes before deployment. The existence of multiple coordinated CVEs across React and Next.js advisories signals the severity of the issue and underscores the urgency of targeted remediation across the ecosystem.