Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Server Access

A critical remote code execution vulnerability has been identified in React Server Components, the technology powering popular frameworks including Next.js. The flaw, stemming from insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on affected servers. Vercel has automatically generated patch pull requests for exposed projects, including the tracked instance `prestamosels_it` under the `khryztiams-projects` account.

The vulnerability is tracked under multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel's automated system generated the patch PR as part of its vulnerability response workflow, though the platform explicitly warns that automated fixes may not be comprehensive and urges manual review before merging. The React team publicly disclosed the critical flaw on December 3, 2025, escalating pressure on developers using affected frameworks to assess and remediate exposure immediately.

The scope of impact centers on any deployment leveraging React Server Components through Next.js or compatible frameworks on Vercel's infrastructure. Organizations running unpatched instances face the risk of complete server compromise without requiring authentication. Security teams should prioritize reviewing the linked advisories, verify whether their deployments fall within affected configurations, and apply patches or workarounds accordingly. The automated PR from Vercel serves as an initial remediation step but does not substitute for thorough security validation across dependent application stacks.