Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Projects

A critical remote code execution (RCE) vulnerability has been identified in React Server Components, directly impacting major frameworks like Next.js and projects hosted on Vercel. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe security breach for any application using the affected technology stack.

The vulnerability was discovered in the project 'personalsite' on Vercel and is now being tracked under multiple advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. In response, Vercel has initiated automated patching efforts, generating pull requests for affected projects. However, the company explicitly warns that these automated fixes may not be comprehensive and could contain mistakes, urging developers to conduct thorough reviews before merging changes.

The disclosure places immediate pressure on development teams using React Server Components, particularly within the Next.js ecosystem, to audit and secure their deployments. The risk of unpatched servers being compromised is high, given the remote and unauthenticated nature of the exploit. This incident triggers a widespread security review across the React and Vercel communities, highlighting the critical need for manual verification even when automated remediation tools are deployed.