## Critical RCE Vulnerability in React Server Components Triggers Emergency Vercel Patch
A critical remote code execution vulnerability in React Server Components has prompted Vercel to issue automated security patches across affected deployments. The flaw, rooted in insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on servers running vulnerable Next.js applications.

The vulnerability was identified in the project city-cart, operated by luckyysinghs-projects on Vercel's platform. Multiple security advisories now track the exposure: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The severity stems from the protocol-level nature of the flaw, which affects the underlying mechanism Next.js and similar frameworks use to stream server component data to clients.

Vercel has generated an automated pull request to upgrade the affected project, though the company cautions that the patch may not be comprehensive and urges manual review before merging. The exposure raises urgent questions about the supply chain security of server-side rendering frameworks that rely on React's architecture. Development teams using React Server Components should audit their deployments immediately, particularly those processing untrusted user input through serialized data streams. The widespread adoption of Next.js across production environments amplifies the potential blast radius if the vulnerability is actively exploited before patches reach critical mass.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE vulnerability, React Server Components, Next.js, CVE-2025-55182, React Flight protocol
- **Credibility**: unverified
- **Published**: 2026-04-22 11:27:34
- **ID**: 75916
- **URL**: https://whisperx.ai/en/intel/75916