Vercel Auto-Patches Critical RCE in React Server Components as React Flight Protocol Deserialization Flaw Threatens Next.js Deployments

Vercel has issued an automated pull request to patch a critical remote code execution vulnerability in React Server Components, a weakness that exposes applications built on frameworks including Next.js to unauthenticated server-side attacks. The flaw resides in insecure deserialization handling within the React Flight protocol, the mechanism enabling server-to-client data transmission in component-based architectures. The vulnerability was identified in the o1-collective project hosted on Vercel's platform, triggering the automatic security response.

The exposure carries registered tracking under three separate advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel has explicitly cautioned that its automated patch may not represent a comprehensive remediation and could contain errors. The company is directing affected developers to additional verification guidance before merging the proposed changes, signaling that manual review remains advisable despite the automated intervention.

This incident underscores persistent risks in server component ecosystems where deserialization pathways intersect with high-privilege server environments. The React Flight protocol, central to Next.js and other meta-frameworks built on React, handles serialization of component trees and server state. A flaw in this layer potentially grants attackers the ability to inject malicious payloads that execute on the server before reaching client-side boundaries. Organizations running affected deployments are urged to evaluate both the automated patch and independent verification measures given the critical severity classification and the breadth of frameworks potentially impacted.