## Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Code Execution
Vercel has generated an automated patch request for a critical remote code execution (RCE) vulnerability in React Server Components, raising urgent security concerns across the Next.js ecosystem. The flaw enables unauthenticated RCE on servers through insecure deserialization within the React Flight protocol, affecting projects deployed on the Vercel platform and potentially broader Next.js infrastructure.

The vulnerability was identified in the creatives-pro-v6 project and has been assigned multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. The attack vector exploits insecure deserialization in the React Flight protocol, which handles server-to-client data streaming in React Server Components. This vulnerability affects any framework leveraging React Server Components, with Next.js being among the most widely deployed. The critical severity stems from requiring no authentication—remote attackers can execute arbitrary code without credentials.

The automated patch is part of Vercel's broader vulnerability response system, though the company cautions that the generated PR may not be comprehensive and could contain errors. Security teams are advised to review the official guidance before merging. The exposure represents a significant supply chain risk given the popularity of Next.js and the fundamental nature of the protocol-level flaw. Patching priority should be elevated for internet-facing deployments handling sensitive operations.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cve, rce, next.js, react, vercel
- **Credibility**: unverified
- **Published**: 2026-05-02 14:54:09
- **ID**: 79015
- **URL**: https://whisperx.ai/en/intel/79015