Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe security breach for any application utilizing the affected technology stack.

The vulnerability was discovered in the project 'skill-tree' and is now being tracked under multiple official advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has initiated automated patching efforts, generating pull requests to upgrade vulnerable dependencies, though it explicitly warns that these automated fixes may not be comprehensive and could contain errors, urging developers to conduct thorough reviews.

The exposure places countless web applications and services at immediate risk, prompting urgent scrutiny and remediation efforts across the development ecosystem. Organizations relying on React Server Components must prioritize applying the official patches and conducting additional security checks to mitigate the threat of server-side compromise.