Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified in React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe security breach for any application using the affected technology stack.

The vulnerability is formally tracked under multiple advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. The issue was discovered in the project 'dins-2025'. In response, Vercel has generated an automated pull request to assist with patching, though it cautions that the fix may not be comprehensive and could contain errors, advising developers to review their guidance before merging changes.

The discovery places immediate pressure on development teams worldwide to audit and update their applications. The widespread adoption of React Server Components and Next.js means the potential attack surface is significant. While an automated patch is a starting point, the inherent risk of incomplete fixes requires manual security reviews. This incident underscores the persistent security challenges in modern web development frameworks and the critical need for vigilant dependency management.