Critical RCE Vulnerability in React Server Components Enables Unauthenticated Server-Side Code Execution

A critical remote code execution vulnerability has been identified in React Server Components, affecting popular web frameworks including Next.js and similar React-based deployment environments. The flaw, tracked across multiple security advisories, enables unauthenticated attackers to execute arbitrary code on targeted servers by exploiting insecure deserialization within the React Flight protocol. Security researchers confirmed the severity after identifying that the vulnerability permits remote attackers to compromise server infrastructure without requiring any form of authentication or user interaction. The exposure extends to any deployment leveraging React Server Components functionality, making it a significant concern for organizations running affected frameworks in production environments.

The vulnerability is documented under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, with corresponding entries in the official React advisory database as CVE-2025-55182 and the Next.js security tracker as CVE-2025-66478. Vercel has automatically generated pull requests for projects detected within its platform to assist developers in patching efforts, though the company cautions that these automated changes may require manual review before integration. The insecure deserialization flaw in the React Flight protocol represents a fundamental protocol-level weakness that could allow attackers to inject malicious payloads during the server component streaming process. Organizations are urged to audit their dependency versions and apply official patches immediately.

The disclosure highlights ongoing challenges in securing server-side JavaScript rendering infrastructure, where the boundary between client and server execution creates complex attack surfaces. Development teams using Next.js or comparable frameworks should prioritize updating to patched versions and monitor official channels for any additional guidance. The widespread adoption of these frameworks means the potential blast radius of successful exploitation remains substantial across cloud-hosted and self-managed deployments alike.