Critical RCE Vulnerability in React Server Components Exposes Next.js, Vercel Projects

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js and projects hosted on Vercel. The flaw, rooted in insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server, posing a severe threat to affected applications.

The vulnerability was flagged in the project 'plataforma-guajira-emprende' on Vercel, triggering an automated security patch pull request from the platform. While Vercel's automated tool aims to assist with patching, the company explicitly warns that the fix may not be comprehensive and could contain errors, urging developers to conduct thorough reviews before merging. The issue is formally tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478.

This discovery places immediate pressure on thousands of developers and organizations using React Server Components, particularly within the Next.js ecosystem. The public advisories signal an urgent, coordinated response from the core maintainers at React and Vercel/Next.js. The risk extends to any production application relying on this technology without the necessary patches, potentially exposing backend systems to complete compromise. The incident underscores the critical security dependencies in modern web frameworks and the cascading risks when a foundational protocol like React Flight is vulnerable.