Bot PR: bump React and Next.js to patch CVE-2025-55182 / CVE-2025-66478 (RCE)

A Vercel bot opened a PR against fpvetleseter/mike to patch an unauthenticated RCE in the React Flight protocol. No application code changes - this is a framework dependency bump only.

securityinfrastructure

The advisory chain covers GHSA-9qr9-h5gf-34mp, CVE-2025-55182 (React side), and CVE-2025-66478 (Next.js side). The vulnerability is in the React Flight wire format - the serialization protocol Server Components use to stream output from server to client. Insecure deserialization there is reachable without authentication.

The proposed fix is a version bump to the patched React and Next.js releases. No route changes, no component rewrites, no behavioral migration. The PR is @vercel[bot]-generated and is currently open.

The bot's own description explicitly disclaims comprehensiveness, so the maintainer still needs to verify the Next.js minor doesn't carry unrelated breaking changes. How urgent this is depends on deployment exposure: anything serving Server Components to untrusted traffic is at risk until this merges.

So what If your fork uses Next.js Server Components and is deployed to public traffic, check whether you've already taken the equivalent upgrade. This PR carries no fork-specific logic - the only question is whether the Next.js version bump is safe against your own test suite.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?