Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe security breach for any application utilizing the affected technology stack.

The vulnerability was discovered in the project `todohogarfactory` and is being tracked under multiple advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has issued an automated pull request to assist with patching, though it explicitly warns that the fix may not be comprehensive and could contain errors, urging developers to review their guidance before merging changes.

The exposure places countless web applications at immediate risk, prompting urgent scrutiny and remediation efforts across the development community. The reliance on automated patches from a major platform like Vercel underscores the widespread nature of the threat and the pressure on engineering teams to secure their deployments against potential exploitation.