Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Ecosystems

A critical remote code execution (RCE) vulnerability has been identified within the React Server Components architecture, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This is not a theoretical threat; the vulnerability was discovered in a live project, `v0-document-editor-with-tiptap`, demonstrating a clear path to exploitation.

The security advisories are now public, with the React team assigning CVE-2025-55182 and the Next.js team tracking it under CVE-2025-66478. GitHub has also issued its own advisory, GHSA-9qr9-h5gf-34mp. The core of the issue lies in how React Server Components handle serialized data, allowing malicious payloads to be deserialized and executed on the server side, bypassing standard authentication checks. This represents a severe breach in the security model of a foundational web technology.

The discovery triggers immediate and widespread pressure on development teams using React Server Components, particularly within the Vercel and Next.js ecosystems. Every application built with this architecture is now at risk until patched. Vercel has begun an automated patching effort, issuing pull requests to affected projects, but explicitly warns that its fixes may not be comprehensive. The responsibility now falls on developers and organizations to urgently review their codebases, apply the necessary security updates, and conduct additional checks to mitigate the risk of server compromise.