Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Attacks

A critical remote code execution vulnerability has been identified in React Server Components, affecting applications built with frameworks including Next.js. The flaw resides in insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. Vercel issued an automatic pull request to assist with patching efforts for at least one compromised project, though officials cautioned that the fix may not be comprehensive and could require additional review before deployment.

The vulnerability was discovered in the project "profileinteriordesign-invoice," hosted under Vercel's infrastructure. Security advisories have been published across multiple platforms to track the exposure: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. The attack vector targets the React Flight protocol, which handles server-to-client component streaming, making any application relying on React Server Components a potential target if left unpatched.

The discovery raises significant concerns for organizations running React-based server environments. Developers are urged to review the official React and Next.js security guidance before merging any automated patches. The vulnerability's severity stems from its ability to be exploited without authentication, meaning attackers require no prior access or credentials to execute malicious code remotely. Organizations using Vercel, Next.js, or other frameworks leveraging React Server Components should prioritize immediate assessment and remediation efforts, particularly for internet-facing deployments.