Critical RCE Vulnerability in React Server Components Exposes Next.js Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, which enables unauthenticated attackers to execute arbitrary code on the server, stems from insecure deserialization in the React Flight protocol. This discovery was made in the project 'portfoliowebsite' on Vercel, highlighting a systemic risk for countless applications built on these popular technologies.

The vulnerability is formally tracked under multiple advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has initiated automated patching efforts, generating pull requests for affected projects. However, the company explicitly warns that these automated fixes may not be comprehensive and could contain errors, urging developers to conduct thorough reviews before merging any changes.

The exposure of this flaw places immense pressure on development teams to urgently audit and secure their applications. The risk is not confined to a single codebase but extends to the entire ecosystem reliant on React Server Components for server-side rendering. This incident triggers a critical security scramble, forcing a re-evaluation of serialization safety in a core web technology used by millions of sites worldwide.