Critical RCE Vulnerability in React Server Components Exposes Next.js, Vercel Issues Automated Patch

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe security breach for any application using the affected technology stack.

The vulnerability was discovered in the project 'virtual-ubuntu' and is now formally tracked under multiple advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. In response, Vercel has initiated automated patching efforts, generating pull requests for affected projects. However, the company explicitly warns that these automated fixes may not be comprehensive and could contain mistakes, urging developers to conduct thorough reviews before merging.

The widespread use of React Server Components and Next.js means this vulnerability poses a significant risk to a vast segment of the modern web. The requirement for manual review of automated patches creates a critical window of exposure. Organizations must immediately assess their applications, apply the necessary updates, and follow the provided security guidance to mitigate the threat of server compromise.