Critical RCE Vulnerability in React Server Components Exposes Next.js and Other Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, posing a direct threat to major web frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This is not a theoretical risk; the vulnerability was discovered in a live project, underscoring its immediate exploitability.

The issue is formally tracked under multiple high-severity advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has initiated automated patching efforts, generating pull requests for affected projects. However, the company explicitly warns that these automated fixes may not be comprehensive and could contain errors, placing the onus on developers to conduct thorough reviews before merging any changes.

The discovery triggers urgent scrutiny for any production system utilizing React Server Components. The vulnerability's core mechanism—insecure deserialization—is a classic and dangerous attack vector, allowing malicious payloads to be processed by the server. This puts countless applications at risk of compromise, data theft, and server takeover. Developers and security teams must treat this as a priority, verifying patches and following the official guidance to mitigate the exposure before it is widely exploited.