Critical RCE Vulnerability in React Server Components Tracked Under Multiple CVEs, Vercel Issues Automated Patch

A critical remote code execution vulnerability affecting React Server Components has been identified in the project react-projects, operated by developer Caleb Uzuegbunams on the Vercel platform. The flaw enables unauthenticated RCE on the server through insecure deserialization in the React Flight protocol, posing a severe risk to applications built with vulnerable frameworks including Next.js. Multiple security advisories now track the issue across different ecosystem layers: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478.

The vulnerability stems from weaknesses in how React Server Components handle deserialization of Flight protocol data, allowing attackers to execute arbitrary code without authentication. Vercel has responded by generating an automated pull request designed to assist with patching efforts, though the company cautions that the automated fix may not be comprehensive and could contain errors. Users are advised to review Vercel's additional guidance before merging any changes.

The disclosure places pressure on developers using Next.js and other affected React framework implementations to assess their exposure and apply patches promptly. While the automated PR represents a step toward mitigation, the presence of multiple tracked CVEs suggests the vulnerability has drawn attention from several security teams across the ecosystem. The incomplete nature of the automated fix raises the risk that manual review and supplementary patches may be necessary for production environments with elevated security requirements.