Vercel Issues Emergency Patch for Critical RCE Vulnerability in React Server Components Affecting Next.js Deployments

An automated security pull request has been deployed across Next.js projects hosted on Vercel following the identification of a critical remote code execution vulnerability in React Server Components. The flaw, tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, exploits insecure deserialization within the React Flight protocol to enable unauthenticated RCE on affected servers. The vulnerability was initially discovered in the production project salah-tours, operated by developer ahmed-zahw on the Vercel platform.

The security weakness specifically targets the deserialization mechanism used by React Server Components to exchange data between server and client environments. When successfully exploited, the vulnerability allows an attacker to execute arbitrary code on the underlying server without requiring authentication credentials. React and Next.js maintainers have issued parallel advisories—CVE-2025-55182 and CVE-2025-66478 respectively—documenting the technical scope and recommended remediation steps. Vercel has generated automated patches for affected repositories but explicitly warns that the fixes may not be comprehensive and require manual review before merging.

The incident highlights persistent risks in server-side rendering architectures where client-controlled data flows back into deserialization routines. Organizations running Next.js deployments built on React Server Components are advised to audit their dependency versions, review Vercel's guidance at the provided link, and apply security updates cautiously. While no active exploitation has been publicly confirmed, the severity of unauthenticated RCE vulnerabilities typically leaves a narrow window between disclosure and opportunistic attack campaigns. The React and Next.js security teams continue to monitor for indicators of targeted abuse.