Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This exposure was discovered in the project 'get-me-a-chai' and represents a severe threat to applications built on these technologies.

The vulnerability is formally tracked under multiple advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has issued an automated pull request to assist with patching, though it explicitly warns that the fix may not be comprehensive and could contain errors, urging developers to review their guidance before merging changes.

This security flaw places immense pressure on development teams using React Server Components to immediately review and update their dependencies. The risk of unpatched servers being compromised is high, potentially leading to data breaches and system takeovers. The coordinated advisories from GitHub, React, and Next.js signal the severity of the issue, requiring urgent scrutiny and action across the web development ecosystem to mitigate the widespread RCE risk.