Critical RCE Vulnerability Disclosed in React Server Components; Vercel Auto-Generates Patch PR for Affected Next.js Projects

A critical remote code execution vulnerability has been identified in React Server Components, exposing applications built on frameworks including Next.js to unauthenticated server-side attacks. The flaw leverages insecure deserialization within the React Flight protocol and was discovered in the project lead-flow hosted on Vercel's platform. The disclosure follows coordinated disclosure protocols tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, alongside dedicated React and Next.js advisories assigned CVE-2025-55182 and CVE-2025-66478 respectively.

The vulnerability enables an attacker to execute arbitrary code on the server without authentication, representing a severe threat surface for any production deployment leveraging affected React Server Component configurations. Vercel's security tooling automatically generated a pull request targeting the lead-flow project to patch the exposed code path. However, the automated fix carries explicit caveats: Vercel states it cannot guarantee the patch is comprehensive and advises maintainers to review supplemental guidance before merging.

Organizations running Next.js deployments with React Server Components enabled face immediate remediation pressure. The dual-CVE structure suggests the vulnerability spans both the upstream React implementation and its Next.js integration layer. Security teams should cross-reference the GitHub and React advisories, assess whether their deployments share architectural patterns with the vulnerable lead-flow project, and apply patches with independent verification rather than relying solely on the automated PR. The disclosure underscores ongoing deserialization risks in server-side rendering pipelines as a high-priority attack vector for modern JavaScript frameworks.