Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Projects

A critical remote code execution (RCE) vulnerability has been identified in React Server Components, directly impacting major frameworks like Next.js. The flaw, which enables unauthenticated attackers to execute arbitrary code on the server, stems from insecure deserialization within the React Flight protocol. This vulnerability was discovered in a specific project hosted on Vercel, highlighting a systemic risk for countless applications built on these popular technologies.

The issue is formally tracked under multiple high-severity advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has initiated automated patching efforts, generating pull requests for affected projects like 'my-saas'. However, the company explicitly warns that these automated fixes may not be comprehensive and could contain mistakes, urging developers to conduct thorough reviews before merging any changes.

The discovery places immediate pressure on development teams using React Server Components, particularly within the Vercel and Next.js ecosystems. While automated patches are being deployed, the onus remains on individual project maintainers to verify the security of their applications. This vulnerability underscores the persistent risks in modern web development stacks where a core protocol flaw can cascade into widespread exposure, demanding urgent and careful remediation to prevent potential server compromise.