Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Remote Code Execution

A critical remote code execution vulnerability has been identified in React Server Components, with implications for applications built on Next.js and related frameworks. The flaw resides in insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. Vercel has flagged this as a high-severity issue affecting the repair-network project, which remains under active scrutiny.

The vulnerability is tracked under multiple security advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, alongside dedicated disclosures from React (CVE-2025-55182) and Next.js (CVE-2025-66478). In response, Vercel has automatically generated a pull request targeting patch deployment for the impacted repository. However, the company cautions that the automated fix may not be comprehensive and could contain errors, urging maintainers to review supplementary guidance before merging.

The discovery raises significant concerns for the broader Next.js ecosystem, where React Server Components are a core architectural feature. Organizations leveraging these components in production environments face potential exposure if patches are not applied promptly. Security researchers recommend immediate evaluation of dependency trees, review of flight protocol configurations, and implementation of the provided patch—while treating the automated PR as a starting point rather than a definitive resolution. The incident underscores ongoing risks in server-side rendering pipelines and the fragility of deserialization logic when handling untrusted input across frameworks.