Critical Remote Code Execution Vulnerability in React Server Components Exposes Next.js Servers to Unauthenticated Attacks

A critical remote code execution vulnerability has been identified in React Server Components, enabling unauthenticated attackers to execute arbitrary code on affected servers. The flaw stems from insecure deserialization within the React Flight protocol, a mechanism used to serialize server component data for client-side rendering. The security researchers who discovered the weakness identified it within the v0-card-stack project hosted on Vercel, raising immediate concerns about broader exposure across the ecosystem. The vulnerability carries a critical severity rating and poses a direct threat to any application relying on server components for data transmission between backend and frontend layers.

The flaw is tracked under multiple coordinated disclosures: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has automatically generated pull requests targeting the vulnerable code path, though officials caution that these automated patches may be incomplete or contain errors. Organizations using Next.js and related frameworks built on React Server Components are urged to review Vercel's guidance and conduct independent audits before applying any remediation. The coordinated disclosure across multiple platforms indicates that the vulnerability's scope extends beyond a single implementation, affecting the underlying protocol specification itself.

The incident highlights persistent risks in deserialization handling, particularly in frameworks that serialize complex server-to-client data flows. Developers are advised to avoid merging automated security patches without verification, as the generated fix may introduce regressions or fail to address all attack vectors. Security teams should monitor official channels from React, Next.js, and Vercel for further updates, as the full blast radius of this vulnerability across dependent projects and hosting environments remains under active assessment.