## Critical RCE Vulnerability in React Server Components Tracked Under Multiple CVEs, Vercel Issues Automated Patch
A critical remote code execution vulnerability in React Server Components has been identified and assigned multiple official CVEs, with Vercel automatically generating pull requests to patch affected deployments. The flaw enables unauthenticated RCE on the server through insecure deserialization in the React Flight protocol, posing a severe risk to applications built on affected frameworks including Next.js.

The vulnerability is tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. The issue was detected in the project ot-nursing-roster hosted on Vercel's platform. The automated patch mechanism represents an unusual level of proactive vendor intervention, suggesting Vercel's security team has identified a meaningful attack surface across its customer base.

Security researchers warn that successful exploitation could allow threat actors to execute arbitrary code on server infrastructure without authentication credentials. Organizations running React Server Components in production environments face immediate pressure to evaluate whether automated patches have been applied and to conduct manual reviews of deployment configurations. The presence of official advisories from multiple vendors indicates coordinated disclosure efforts, though the full scope of affected applications remains under assessment. Developers are urged to review Vercel's guidance documentation before merging automated changes, as the company cautioned that patches may not be comprehensive and could require additional manual remediation steps.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE vulnerability, React Server Components, CVE-2025-55182, CVE-2025-66478, Next.js
- **Credibility**: unverified
- **Published**: 2026-04-25 17:54:08
- **ID**: 77108
- **URL**: https://whisperx.ai/en/intel/77108