## Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Remote Code Execution
Vercel has automatically generated a patch pull request for a critical remote code execution vulnerability affecting React Server Components, with confirmed exposure across Next.js deployments. The flaw resides in insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers.

The vulnerability was identified in the project book-tour-fe-client, operated by bui-duc-hungs-projects on Vercel's platform. The issue has been assigned multiple tracked identifiers across major security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel issued the automated PR as part of its vulnerability detection infrastructure, though the company cautions that the generated patch may not be comprehensive and could contain errors. Users are directed to perform additional review before merging.

The exposure carries significant implications for organizations running Next.js applications with React Server Components enabled. React Flight, which powers server-to-client component streaming, becomes the attack vector when deserialization fails to sanitize malicious payloads. This class of vulnerability has historically enabled full server compromise in downstream exploitation scenarios. Security teams managing affected deployments should prioritize patching, audit flight payload handling, and monitor for indicators of exploitation given the unauthenticated nature of the attack vector.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE, CVE, Next.js, React, Vercel
- **Credibility**: unverified
- **Published**: 2026-04-29 07:54:13
- **ID**: 78124
- **URL**: https://whisperx.ai/en/intel/78124