Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Attacks

A critical remote code execution vulnerability has been identified in React Server Components, the server-side rendering architecture used by modern JavaScript frameworks including Next.js. The flaw enables unauthenticated attackers to execute arbitrary code on vulnerable servers through insecure deserialization within the React Flight protocol. Vercel has automatically generated pull requests targeting affected projects to patch the exposure.

The vulnerability specifically impacts the ai-computer-use project and potentially any deployment leveraging React Server Components with unpatched dependencies. Attackers can exploit the deserialization weakness without requiring authentication credentials, significantly lowering the barrier to exploitation. Multiple security advisories now track the flaw: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Organizations using Vercel-hosted Next.js infrastructure should treat any unpatched React Server Components deployment as actively exposed.

Security teams are urged to review Vercel's automated patch guidance before merging and to verify that all React Server Components dependencies reflect the latest patched versions. The dual-advisory structure across both React and Next.js reflects the architectural complexity of the flaw, which spans both the core React library and framework-specific implementations. Given the severity and the availability of proof-of-concept exploitation pathways, prioritize patching over extended testing cycles. Production environments with public-facing Next.js applications face the highest immediate risk.