Critical RCE Vulnerability in React Server Components Exposes Next.js Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This exposure was flagged in the project 'wholesalescout-web' on Vercel, highlighting the immediate risk to countless applications built on these popular technologies.

The vulnerability is formally tracked under multiple advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has initiated automated patching efforts, generating pull requests for affected projects. However, the company explicitly warns that these automated fixes may not be comprehensive and could contain errors, urging developers to conduct thorough reviews before merging any changes.

The discovery places immense pressure on development teams using React Server Components to urgently audit and secure their deployments. The flaw's nature—allowing unauthenticated RCE—signals a severe security failure in a core protocol, potentially affecting a vast segment of the modern web development ecosystem. While patches are being distributed, the reliance on automated tools and the explicit caveats about their completeness introduce significant operational risk, requiring manual verification to prevent incomplete remediation or new instability.