Critical RCE Vulnerability in React Server Components Targets Next.js Deployments via Insecure Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, specifically affecting production deployments on Vercel. The flaw, traced to insecure deserialization within the React Flight protocol, was discovered in the project btc-kalshi-terminal-v2 and allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability requires no user interaction or credentials, making it particularly dangerous for exposed applications.

The security flaw is tracked under multiple advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has automatically generated a pull request to patch the vulnerability, though the company cautions that the automated fix may not be comprehensive and could contain errors. Developers are urged to review the guidance at vercel.link/additional-checks before merging any changes.

The exposure raises significant concerns across the Next.js ecosystem, as React Server Components are a core feature of modern Next.js applications. Frameworks relying on this architecture face potential server-side compromise if unpatched. Security teams should immediately audit deployments, prioritize applying official patches, and verify that React Server Component configurations do not expose deserialization endpoints to untrusted input.