Vercel Issues Emergency Patch for Critical RCE Vulnerability in React Server Components Affecting Next.js
Vercel has issued an automated emergency patch targeting a critical remote code execution vulnerability in React Server Components that exposes applications built with frameworks like Next.js to unauthenticated attacks. The flaw, traced to insecure deserialization within the React Flight protocol, was identified in the production environment of the project "workout-patna" hosted on Vercel's infrastructure. Security advisories tracking the vulnerability include GitHub advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478.
The vulnerability allows an unauthenticated attacker to execute arbitrary code on the server by exploiting the deserialization mechanism in React Server Components' communication protocol. React Server Components, a core feature enabling server-side rendering optimizations in modern JavaScript frameworks, rely on the React Flight protocol for serializing component data between server and client. When this serialization process fails to properly validate incoming data, attackers can inject malicious payloads that execute with server-level privileges. The automated pull request generated by Vercel is intended to patch the affected project, though the company warns the fix may not be comprehensive and manual review is recommended before merging.
The exposure raises significant concerns for the broader Next.js ecosystem, as React Server Components are a default feature in recent framework versions. Developers using affected versions should evaluate whether their deployments are impacted and apply the provided patch after conducting their own security review. Vercel has published additional guidance at vercel.link/additional-checks to assist teams in validating their environments. The coordinated disclosure across React, Next.js, and Vercel advisories suggests active exploitation may be possible, though public confirmation of in-the-wild attacks remains pending.