Bot PR: bump React and Next.js to patch CVE-2025-55182 / CVE-2025-66478 (RCE)
A Vercel bot opened a PR against fpvetleseter/mike to patch an unauthenticated RCE in the React Flight protocol. No application code changes - this is a framework dependency bump only.
The advisory chain covers GHSA-9qr9-h5gf-34mp, CVE-2025-55182 (React side), and CVE-2025-66478 (Next.js side). The vulnerability is in the React Flight wire format - the serialization protocol Server Components use to stream output from server to client. Insecure deserialization there is reachable without authentication.
The proposed fix is a version bump to the patched React and Next.js releases. No route changes, no component rewrites, no behavioral migration. The PR is @vercel[bot]-generated and is currently open.
The bot's own description explicitly disclaims comprehensiveness, so the maintainer still needs to verify the Next.js minor doesn't carry unrelated breaking changes. How urgent this is depends on deployment exposure: anything serving Server Components to untrusted traffic is at risk until this merges.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?