Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Projects

A critical remote code execution (RCE) vulnerability has been identified in React Server Components, directly impacting major frameworks like Next.js and projects hosted on platforms such as Vercel. The flaw, stemming from insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This is not a theoretical risk; the vulnerability was actively discovered in the live project `eversparkwebsite` on Vercel, demonstrating a clear and present danger to production applications.

The security issue is formally tracked under multiple high-profile advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. These coordinated disclosures underscore the severity and broad impact across the React ecosystem. In response, Vercel has initiated automated patching efforts, generating pull requests for affected projects. However, the company explicitly warns that these automated fixes may not be comprehensive and could contain mistakes, urging developers to conduct thorough reviews before merging any changes.

The discovery places immense pressure on development teams using React Server Components, particularly within the Next.js and Vercel ecosystems, to immediately audit and patch their applications. The vulnerability's nature—remote and unauthenticated—significantly lowers the barrier for exploitation, raising the risk of widespread compromise if left unaddressed. This incident triggers urgent scrutiny of the security posture surrounding server-side rendering protocols and highlights the cascading risks when a core library vulnerability propagates through dependent frameworks and hosting platforms.