Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe security breach for any application utilizing the affected technology stack.

The vulnerability is formally tracked under multiple advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. It was discovered in the project 'ocs-hack' and affects the core data serialization mechanism used by React Server Components. The automated security patch, generated by Vercel, attempts to address the issue by upgrading vulnerable dependencies, but the provider explicitly warns that the fix may not be comprehensive and could contain errors, urging manual review.

This vulnerability places thousands of production web applications at immediate risk of compromise. Developers and organizations relying on Next.js or similar React-based frameworks must urgently apply patches and conduct thorough security audits. The public disclosure of specific CVE identifiers increases the likelihood of widespread exploitation attempts, raising the pressure on development teams to secure their deployments before attacks materialize.