Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, posing a direct threat to major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This security gap was discovered in the project `ziko-app` and has triggered coordinated advisories from key stakeholders in the ecosystem.

The vulnerability is formally tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. The core issue allows malicious actors to exploit the server-side rendering process, potentially compromising any application built with the affected React Server Components architecture. In response, Vercel has initiated automated patching efforts, though it explicitly warns that its automated pull requests may not be comprehensive and could contain errors, urging developers to conduct additional reviews.

This disclosure places immediate pressure on development teams using React Server Components, particularly within the Next.js ecosystem, to audit and update their dependencies. The flaw's remote and unauthenticated nature significantly raises the risk profile for a vast number of web applications. While patches are being distributed, the incident underscores persistent security challenges in modern, data-serialization-heavy web frameworks and highlights the critical need for manual security validation even when automated fixes are provided.