Fix React Server Components RCE vulnerability #1

2025-12-08T20:31:23Z

vercel[bot] commented

2025-12-08 20:31:23 +00:00

(Migrated from github.com)

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project doyle. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

> [!IMPORTANT] > This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our [guidance](https://vercel.link/additional-checks) before merging these changes. A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project [doyle](https://vercel.com/marching-maestro/doyle). The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol. This issue is tracked under: - GitHub Security Advisory: [GHSA-9qr9-h5gf-34mp](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp) - React Advisory: [CVE-2025-55182](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) - Next.js Advisory: [CVE-2025-66478](https://nextjs.org/blog/CVE-2025-66478) This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue. [More Info](https://vercel.link/cve-2025-55182-automated-pr) | security@vercel.com

vercel[bot] commented

2025-12-08 20:31:26 +00:00

(Migrated from github.com)

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
doyle	Ready	Preview	Comment	Dec 8, 2025 8:32pm

[vc]: #5wW0RFNPqmmnUmZvpB14XTzMBew8G9dwAnjVDK+wd9E=:eyJpc01vbm9yZXBvIjp0cnVlLCJ0eXBlIjoiZ2l0aHViIiwicHJvamVjdHMiOlt7Im5hbWUiOiJkb3lsZSIsImluc3BlY3RvclVybCI6Imh0dHBzOi8vdmVyY2VsLmNvbS9tYXJjaGluZy1tYWVzdHJvL2RveWxlLzRTSFZvc2ZKcU03QjU5ZlZuazNldHlidWNRZzUiLCJwcmV2aWV3VXJsIjoiZG95bGUtZ2l0LXZlcmNlbC1kZXBlbmRlbmNpZXMtZm9yLXJlYWN0LTViODQ2OS1tYXJjaGluZy1tYWVzdHJvLnZlcmNlbC5hcHAiLCJuZXh0Q29tbWl0U3RhdHVzIjoiREVQTE9ZRUQiLCJsaXZlRmVlZGJhY2siOnsicmVzb2x2ZWQiOjAsInVucmVzb2x2ZWQiOjAsInRvdGFsIjowLCJsaW5rIjoiZG95bGUtZ2l0LXZlcmNlbC1kZXBlbmRlbmNpZXMtZm9yLXJlYWN0LTViODQ2OS1tYXJjaGluZy1tYWVzdHJvLnZlcmNlbC5hcHAifSwicm9vdERpcmVjdG9yeSI6bnVsbH1dfQ== The latest updates on your projects. Learn more about [Vercel for GitHub](https://vercel.link/github-learn-more). | Project | Deployment | Preview | Comments | Updated (UTC) | | :--- | :----- | :------ | :------- | :------ | | [doyle](https://vercel.com/marching-maestro/doyle) | ![Ready](https://vercel.com/static/status/ready.svg) [Ready](https://vercel.com/marching-maestro/doyle/4SHVosfJqM7B59fVnk3etybucQg5) | [Preview](https://doyle-git-vercel-dependencies-for-react-5b8469-marching-maestro.vercel.app) | [Comment](https://vercel.live/open-feedback/doyle-git-vercel-dependencies-for-react-5b8469-marching-maestro.vercel.app?via=pr-comment-feedback-link) | Dec 8, 2025 8:32pm |

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marchingmaestro/doyle#1