React Server Components RCE Flaw Prompts Vercel Automated Patch Push to Next.js Deployments

A critical remote code execution vulnerability in React Server Components has prompted Vercel to issue automated patch pull requests to affected deployments. The flaw, rooted in insecure deserialization within the React Flight protocol, enables unauthenticated remote code execution on servers running vulnerable versions of Next.js and compatible frameworks. The issue was identified in a project hosted on Vercel's platform, triggering the automated response mechanism.

The vulnerability is tracked under three separate security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has generated automated pull requests targeting projects potentially exposed to the flaw, though the company cautions that these patches may not be comprehensive and could contain errors. Developers are urged to review official guidance before merging any automated changes into production environments.

The insecure deserialization vector allows attackers to execute arbitrary code without authentication, presenting a severe risk to affected deployments. Organizations running Next.js applications on Vercel or self-hosted infrastructure face potential remote compromise if left unpatched. Security teams should prioritize reviewing the referenced advisories and applying vetted patches immediately, rather than relying solely on the automated PRs, to ensure complete remediation of this vulnerability across their React Server Components implementations.