Critical RCE Vulnerability in React Server Components Exposes Next.js Applications to Server-Side Attacks

A critical remote code execution vulnerability in React Server Components has been identified, enabling unauthenticated attackers to execute arbitrary code on servers through insecure deserialization in the React Flight protocol. Security advisories tracking the flaw include GHSA-9qr9-h5gf-34mp, CVE-2025-55182, and CVE-2025-66478, classifying the issue as high-severity across the ecosystem.

The vulnerability specifically targets the React Server Components implementation, affecting frameworks that rely on the technology—including Next.js. The project freelancer-website, hosted on Vercel's platform, has been confirmed as an impacted repository. The attack vector exploits how React Flight handles deserialization, allowing remote command execution without requiring authentication or user interaction. Vercel has responded by generating an automated pull request to assist with patching efforts, though the company explicitly cautions that the proposed changes may not be comprehensive and could contain errors.

Security teams managing Next.js deployments should immediately cross-reference their implementations against the listed advisories. The vulnerability presents a severe risk because successful exploitation grants attackers full server-side access, potentially exposing sensitive data, internal systems, and downstream services. While automated patches offer an initial remediation path, the source advises reviewing Vercel's additional guidance before merging any changes. Organizations are urged to prioritize patching given the trivial nature of the attack requirements and the broad adoption of React Server Components across production environments.