Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments

A critical remote code execution vulnerability has been identified in React Server Components, with potential impact across frameworks including Next.js. The flaw stems from insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. The vulnerability has been confirmed in at least one production deployment: the Vercel-hosted project "schoolofsatoshiwebsite," operated by school-of-satoshis-projects.

Security advisories from multiple vendors now track the issue. GitHub Security Advisory GHSA-9qr9-h5gf-34mp references the vulnerability in the Next.js ecosystem, while the React project has assigned CVE-2025-55182 and Next.js separately tracks it as CVE-2025-66478. Vercel has automatically generated a pull request to patch the exposed project, though officials caution that the automated fix may not be comprehensive and could contain errors. Developers are urged to review Vercel's additional guidance before merging any changes.

The vulnerability represents a significant supply-chain risk given React Server Components' architectural role in modern full-stack JavaScript deployments. Attackers exploiting the deserialization flaw could gain server-side access without authentication, potentially compromising application data, credentials, or underlying infrastructure. Organizations running Next.js or other RSC-powered frameworks should prioritize patching, verify the integrity of automated security PRs, and assess whether production environments exhibit indicators of exploitation. The incident underscores ongoing concerns about deserialization attack surfaces in component-driven frameworks that serialize and deserialize complex objects across server-client boundaries.