Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major web frameworks including Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe security breach vector for any application built with these technologies.

The vulnerability was discovered in the project `project-rate-engine` and is being tracked under multiple official advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has initiated automated patching efforts, generating pull requests for affected projects, but explicitly warns that these automated fixes may not be comprehensive and could contain errors, urging developers to conduct thorough reviews.

The widespread adoption of React Server Components and Next.js, particularly within the Vercel ecosystem, means this vulnerability has a potentially massive attack surface. Developers and organizations must immediately review the linked advisories, apply the necessary patches, and perform additional security checks as recommended. The incident underscores the persistent risks in modern web development stacks and the critical importance of securing serialization protocols in server-side rendering architectures.