Fix React Server Components CVE vulnerabilities
/ 1 min read /
[!IMPORTANT] This is an automatic PR generated by Vercel to help you with patching efforts. We can’t guarantee it’s comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project blog. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
- GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
- React Advisory: CVE-2025-55182
- Next.js Advisory: CVE-2025-66478
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.