Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Server-Side Attacks

A critical remote code execution vulnerability has been identified in React Server Components, posing a significant threat to applications built on Next.js and similar frameworks. The flaw, tracked under multiple CVEs including CVE-2025-55182 and CVE-2025-66478, enables unauthenticated remote code execution on affected servers through insecure deserialization within the React Flight protocol. The vulnerability was discovered in the production project grupo-ayr-landing hosted on Vercel, prompting the platform to generate automated pull requests as part of a coordinated patching effort.

The exposure stems from a weakness in how React Server Components handle serialized data during flight operations, a mechanism used for streaming server components to the client. Security researchers identified that an attacker could exploit this flaw without requiring authentication, potentially gaining full control over the underlying server environment. Vercel has acknowledged the severity of the issue and flagged it under GitHub Security Advisory GHSA-9qr9-h5gf-34mp. However, the company cautions that its automated patches may not be comprehensive and urges developers to conduct thorough reviews before merging any changes.

This disclosure comes amid heightened scrutiny of supply chain and framework-level vulnerabilities in the JavaScript ecosystem. Organizations running Next.js applications with React Server Components enabled face immediate pressure to assess their exposure, apply available patches, and monitor for indicators of exploitation. The incident underscores ongoing challenges in securing the boundary between server and client rendering environments, a critical attack surface as modern frameworks increasingly blur those lines. Security teams should consult the official React and Next.js advisories for mitigation guidance and consider restricting unauthenticated server-side request paths as a temporary safeguard.