Critical RCE Vulnerability in React Server Components Exposes Next.js Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw enables unauthenticated attackers to execute arbitrary code on the server by exploiting insecure deserialization in the React Flight protocol. This vulnerability was discovered in the project 'welth-finance-tracker' on Vercel, highlighting a potential widespread exposure for applications built on these technologies.

The issue is formally tracked under multiple high-severity advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. The core risk stems from the deserialization mechanism in the React Flight protocol, which, if left unpatched, could allow malicious actors to compromise servers without requiring authentication. This is not an isolated theoretical risk; the vulnerability was found in a live project, demonstrating its practical exploitability.

The discovery places immediate pressure on development teams using React Server Components, particularly within the Next.js ecosystem, to review and apply security patches. While an automatic pull request has been generated by Vercel to assist with patching, the platform explicitly warns that it may not be comprehensive and could contain mistakes, urging manual review. This situation underscores the persistent security challenges in modern web frameworks and the critical need for proactive vulnerability management in software supply chains.