## Vercel Issues Emergency Patch for Critical React Server Components RCE Vulnerability in Next.js
Vercel has issued an automated emergency patch for a critical remote code execution vulnerability affecting React Server Components, with downstream impact on Next.js applications. The flaw—tracked under CVE-2025-55182 and CVE-2025-66478—resides in the React Flight protocol's insecure deserialization mechanism, enabling unauthenticated attackers to execute arbitrary code on affected servers. The vulnerability was identified in the Vercel-hosted project blankcollar-vc, belonging to the blankcollar-projects organization.

The security advisory, published jointly by the React and Next.js teams, classifies the flaw as critical severity due to its ability to bypass authentication entirely. Attackers can exploit the deserialization weakness without requiring valid credentials or user interaction, making it particularly dangerous for internet-facing applications. GitHub Security Lab has catalogued the vulnerability under GHSA-9qr9-h5gf-34mp, and Vercel has generated an automatic pull request to assist affected projects with remediation efforts—though officials caution the automated fix may not be comprehensive and require manual review.

Organizations running Next.js deployments on Vercel or self-hosted infrastructure face immediate patching pressure. Security teams should prioritize reviewing the linked advisories and validate that any merged patches fully address the deserialization vector. The React team's disclosure notes that the vulnerability affects any framework leveraging React Server Components, suggesting a broader ecosystem exposure beyond Next.js alone.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: react, next.js, vercel, rce, cve-2025-55182
- **Credibility**: unverified
- **Published**: 2026-04-29 09:54:15
- **ID**: 78166
- **URL**: https://whisperx.ai/en/intel/78166