Critical RCE Vulnerability in React Server Components Triggers Emergency Patching Across Next.js Deployments

A critical remote code execution vulnerability has been identified in React Server Components, triggering emergency patching efforts across the Next.js ecosystem. The flaw, tracked under multiple security advisories including CVE-2025-55182 and CVE-2025-66478, enables unauthenticated remote code execution on servers through insecure deserialization in the React Flight protocol. Vercel has automatically generated pull requests for affected projects, including one detected in the portfolio project "my-modern-portfolio," warning that the automated fixes may require manual review before deployment.

The vulnerability specifically targets the React Flight protocol implementation used by React Server Components, a feature central to modern Next.js applications. The GitHub Security Advisory GHSA-9qr9-h5gf-34mp and corresponding advisories on the React and Next.js official blogs confirm the critical severity rating. Vercel's automated response acknowledges that its generated patches cannot guarantee comprehensive coverage and may contain errors, urging developers to consult additional guidance before merging changes into production environments.

Security researchers warn that the vulnerability poses significant risk to any deployment running vulnerable versions of React Server Components, particularly applications using Next.js in its default or standard configurations. The exposure stems from the protocol's handling of serialized data during server-to-client communication, creating an attack vector that requires no authentication to exploit. Organizations running affected React-based frameworks are advised to prioritize immediate patching, verify the integrity of automated fixes, and monitor for indicators of attempted exploitation given the public disclosure of technical details across multiple security advisories.