Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, posing a direct threat to major web frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This security gap was discovered in the project 'portf-uzair' and has been formally tracked under advisories from GitHub, React, and Next.js.

The vulnerability is documented as CVE-2025-55182 by the React team and CVE-2025-66478 by Next.js, with a corresponding GitHub Security Advisory (GHSA-9qr9-h5gf-34mp). The core issue allows for server-side RCE, a severe risk for any application using the affected React Server Components implementation. In response, Vercel has initiated automated patching efforts, generating pull requests to upgrade vulnerable dependencies, though they caution that these automated fixes may not be comprehensive and require manual review.

This development places immediate pressure on development teams using React Server Components, particularly within the Next.js ecosystem, to audit and patch their applications. The public disclosure of the CVEs and the automated remediation push signal the urgency of the situation. While the full scope of impacted projects is being assessed, the existence of a working exploit in a public repository underscores the active risk and the need for swift action to prevent potential server compromises.