## Critical RCE Vulnerability in React Server Components Prompts Emergency Vercel Patch for Next.js Deployments
A critical remote code execution vulnerability affecting React Server Components has surfaced in the Next.js ecosystem, prompting Vercel to issue an automated patch pull request. The flaw, traced to insecure deserialization within the React Flight protocol, enables unauthenticated RCE on exposed servers. Security advisories tracking the issue include GHSA-9qr9-h5gf-34mp, CVE-2025-55182, and CVE-2025-66478, confirming the severity and cross-platform implications.

The vulnerability was initially identified within the Vercel-hosted project "resumize-ai-mafe," signaling exposure across any deployment leveraging React Server Components functionality. React Flight, the protocol responsible for serializing component data between server and client, contains a deserialization path that permits arbitrary code execution without authentication. This attack surface is particularly concerning given the widespread adoption of Next.js and the seamless server-client component rendering model it relies upon.

Vercel has generated an automated pull request targeting patch integration, though officials caution that the remediation effort may not be comprehensive and could contain errors. Developers are urged to review Vercel's additional guidance before merging any automated changes. The presence of multiple official advisories across GitHub, React, and Next.js channels indicates coordinated disclosure, yet the automated nature of the patch raises questions about thorough mitigation. Organizations running Next.js applications with server components enabled should treat this as a priority remediation item pending manual security review.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE, React Server Components, Next.js, CVE-2025-55182, CVE-2025-66478
- **Credibility**: unverified
- **Published**: 2026-05-07 17:31:42
- **ID**: 80286
- **URL**: https://whisperx.ai/en/intel/80286