Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified in React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe security breach for any application using the affected technology stack.

The vulnerability is tracked under multiple advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. The issue was discovered in a specific project portfolio, highlighting its real-world exploitability. In response, Vercel has generated an automated pull request to assist with patching, though it cautions that the fix may not be comprehensive and requires manual review before merging.

The discovery places immediate pressure on development teams using React Server Components to urgently review and apply security updates. The widespread adoption of Next.js and related frameworks means the potential attack surface is significant, raising the risk of exploitation until patches are fully deployed. This incident underscores the persistent security challenges in modern web development architectures and the critical need for proactive vulnerability management.