Critical RCE Vulnerability in React Server Components Exposes Next.js, Vercel Issues Automated Patch

A critical remote code execution (RCE) vulnerability has been identified within the React Server Components architecture, directly impacting major frameworks like Next.js. The flaw, stemming from insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This represents a severe threat to the security posture of countless web applications built on these popular technologies.

The vulnerability is formally tracked under multiple advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. In response, Vercel has initiated automated patching efforts, generating pull requests for affected projects like a portfolio site. However, the company explicitly warns that these automated fixes are not guaranteed to be comprehensive and may contain errors, urging developers to conduct thorough reviews before merging changes.

The discovery places immediate pressure on development teams using React Server Components and Next.js to audit and secure their deployments. The public disclosure of specific CVEs and the involvement of core maintainers like Vercel signals the severity and broad scope of the issue. While automated tooling is being deployed, the responsibility for final validation and secure implementation falls on individual engineering teams, raising the risk of incomplete patches or misconfigurations in a critical security window.