Critical RCE Vulnerability in React Server Components Exposes Next.js Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This exposure was flagged in the project `ngo-kitchen-web-app-react-next-js`, highlighting the immediate risk to applications built on these popular technologies.

The vulnerability is formally tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has issued an automated pull request to assist with patching but explicitly warns it cannot guarantee comprehensiveness and may contain errors, urging developers to review their guidance before merging any changes. The core of the issue lies in the server-side deserialization process, a fundamental part of how React Server Components handle data.

This security flaw places thousands of web applications at potential risk of compromise, demanding urgent scrutiny from development teams. The public advisories from both the React and Next.js core teams signal the severity of the threat. While an automated fix is being circulated, the onus remains on individual project maintainers to manually verify and apply patches, a process fraught with the risk of oversight or incomplete remediation in complex codebases.