Critical RCE Vulnerability in React Server Components Exposes Next.js and Related Frameworks to Server-Side Attacks

A critical remote code execution vulnerability has been identified in React Server Components, the technology powering Next.js and other major web frameworks. The flaw enables unauthenticated RCE on affected servers through insecure deserialization within the React Flight protocol, according to security advisories tracked under CVE-2025-55182, CVE-2025-66478, and GitHub Security Advisory GHSA-9qr9-h5gf-34mp.

The vulnerability was discovered in the Vercel-hosted project "favorite-prompts-web," prompting an automated pull request to patch the flaw. Vercel generated the PR as part of an automated vulnerability response effort, though the company cautioned that the patch may not be comprehensive and could contain errors. Developers are advised to review additional guidance before merging the changes into production environments.

The exposure spans any application using React Server Components with deserialization logic that processes untrusted input through the Flight protocol. Security teams should prioritize auditing Next.js deployments and related frameworks for React Flight usage patterns. The React and Next.js teams have published separate advisories detailing affected versions and recommended mitigations. Organizations unable to immediately apply patches should consider disabling or restricting React Server Component functionality as a temporary compensating control pending a thorough security review.