Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Frameworks

A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This vulnerability was discovered in the project `v0-outrun-latest` and poses a severe threat to any application using the affected React Server Components implementation.

The issue is formally tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. Vercel has initiated automated patching efforts, generating pull requests to upgrade dependencies, but explicitly warns that these automated fixes may not be comprehensive and could contain mistakes. Developers are urged to review the provided guidance before merging any changes.

This vulnerability places immense pressure on development teams using React Server Components, particularly within the Next.js ecosystem, to immediately review and secure their deployments. The public disclosure of multiple CVEs signals coordinated scrutiny from the React and Next.js maintainers. Failure to patch could lead to widespread server compromise, making this a high-priority security event for the entire web development community reliant on these technologies.