Vercel Issues Emergency Patch for Critical React Server Components RCE Vulnerability Affecting Next.js Deployments

Vercel has released an automated security patch addressing a critical remote code execution vulnerability in React Server Components that exposes Next.js applications to unauthenticated server-side attacks. The flaw resides in insecure deserialization within the React Flight protocol, enabling threat actors to execute arbitrary code on affected servers without authentication credentials.

The vulnerability, tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, has been assigned multiple identifiers across affected platforms: CVE-2025-55182 for React and CVE-2025-66478 for Next.js. The issue impacts projects hosted on Vercel's platform, specifically those initialized through the cards template under the username siddharth2624s-projects. Vercel has generated an automatic pull request to upgrade affected dependencies, though the company cautions that the automated fix may not be comprehensive and could contain errors.

Security teams are advised to carefully review Vercel's additional guidance before merging the patch. The vulnerability's severity stems from its attack vector—insecure deserialization attacks can bypass authentication entirely by manipulating serialized data streams. Organizations running React Server Components in production environments should treat this as a priority remediation given the potential for complete server compromise. The React and Next.js security advisories contain technical details that security researchers and platform administrators should cross-reference with their current deployments to verify exposure status.