Critical RCE Vulnerability in React Server Components Exposes Next.js, Vercel Projects

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This exposure was first flagged in a specific Vercel-hosted project, portfolio-lucas-kuligowski, highlighting the immediate and widespread risk to any application using the affected technology stack.

The vulnerability is now formally tracked under multiple high-severity advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has initiated automated patching efforts, generating pull requests for affected projects, but explicitly warns that its automated fixes may not be comprehensive and could contain errors. The core of the issue lies in the React Flight protocol's deserialization process, which, when insecure, opens a direct path for server-side code execution without requiring user authentication.

The discovery places immense pressure on development teams using React Server Components, particularly within the Next.js ecosystem, to urgently review and apply security patches. While Vercel's automated tooling provides a starting point, the company advises thorough manual review and additional security checks before merging any changes. This vulnerability underscores the systemic security risks inherent in modern, data-serialization-heavy web architectures and signals a period of intense scrutiny for server-side rendering frameworks. The coordinated release of advisories by GitHub, the React team, and Next.js indicates the severity and broad potential impact of this flaw across the web development landscape.