## Critical RCE Vulnerability Discovered in React Server Components: Next.js and Vercel Deployments Under Scrutiny
A critical remote code execution vulnerability has been identified in React Server Components, posing a significant security risk to applications built with frameworks including Next.js. The flaw, stemming from insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on affected servers. Vercel has automatically generated pull requests for projects detected as vulnerable, signaling the severity of the exposure across the platform.

The vulnerability is tracked under multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The project med-spa-web, hosted on Vercel under the account appointmentagency, was identified as affected. Vercel's automated PR acknowledges it cannot guarantee comprehensive coverage and advises manual review before merging any patches. This highlights potential gaps in automated remediation efforts for production environments.

Organizations running React Server Components should immediately assess their dependency versions and apply patches outlined in the official advisories. The React Flight protocol, which facilitates server-to-client data transmission, appears to be the primary attack vector. Given the widespread adoption of Next.js and Vercel's infrastructure, the potential blast radius of this vulnerability extends across a large portion of the modern web ecosystem. Security teams are urged to treat this as a priority update rather than a routine maintenance item.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: React, Server Components, RCE, Next.js, Vercel
- **Credibility**: unverified
- **Published**: 2026-04-25 19:54:10
- **ID**: 77115
- **URL**: https://whisperx.ai/en/intel/77115