Critical Deserialization Flaw in React Server Components Triggers Emergency Patch Across Next.js Ecosystem

A critical remote code execution vulnerability in React Server Components has been identified, affecting applications built with frameworks including Next.js. The flaw, rooted in insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on affected servers. Vercel has issued an automated pull request to patch the vulnerable project "casting-flow," though the company warns the remediation may not be comprehensive and could contain errors.

The vulnerability is tracked under multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The React team published details on December 3, 2025, confirming the critical severity of the flaw. The attack vector targets the server-side rendering pipeline, where malformed React Flight data can trigger unsafe deserialization operations. This gives remote actors a direct path to server compromise without requiring authentication or user interaction.

The exposure raises significant concerns for organizations running Next.js deployments in production environments. Vercel has urged maintainers to review its additional guidance before merging automated patches, emphasizing that machine-generated fixes may not address all attack surfaces. Security teams should prioritize auditing React Server Component implementations, verify their framework versions against the affected releases, and apply vendor-recommended mitigations. The incident underscores the systemic risk introduced by deep framework dependencies, where a single protocol-level flaw can cascade across a broad ecosystem of applications.