Critical RCE Vulnerability in React Server Components Prompts Emergency Vercel Patch

Vercel has issued an emergency automatic pull request addressing a critical remote code execution vulnerability in React Server Components, with the flaw enabling unauthenticated RCE through insecure deserialization in the React Flight protocol. The vulnerability affects projects deployed on Vercel's platform and frameworks including Next.js that utilize React Server Components functionality.

The security issue, tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, specifically targets the React Flight protocol's deserialization mechanism. Security researchers identified that the vulnerability allows attackers to execute arbitrary code on the server without authentication, representing a severe threat to affected deployments. The vulnerable project identified is "global-education-pathways" hosted under the Vercel account of mulubrhan-legesses-projects-5b6a290b, though the underlying flaw potentially impacts any Next.js deployment utilizing React Server Components. Additional advisories have been published under CVE-2025-55182 for the React ecosystem and CVE-2025-66478 for Next.js specifically.

Vercel's automated patch generation acknowledges limitations, stating it cannot guarantee comprehensive coverage and urging developers to review their published guidance before merging changes. Organizations running affected Next.js versions face immediate pressure to apply patches and conduct security reviews. The incident highlights ongoing concerns around server-side rendering attack surfaces, particularly in widely-adopted JavaScript frameworks where deserialization vulnerabilities can propagate across thousands of dependent projects. Developers are advised to monitor official React and Next.js security channels for complete remediation guidance.