Critical RCE Flaw in React Server Components Exposes Next.js Deployments to Server Takeover

A critical remote code execution vulnerability has been identified in React Server Components, enabling unauthenticated attackers to execute arbitrary code on affected servers. The flaw exploits insecure deserialization within the React Flight protocol, the mechanism that handles server-to-client data streaming in React frameworks. This is particularly dangerous because it requires no authentication—attackers can trigger execution simply by sending crafted requests to vulnerable endpoints.

The vulnerability impacts frameworks that rely on React Server Components, including Next.js. A project hosted on Vercel's platform, identified as "momos-cafe," has already been flagged as affected. Security advisories from GitHub, the React team, and Next.js have all been published, assigning distinct tracking identifiers: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. This multiplicity of advisories signals coordinated disclosure across the ecosystem.

Vercel has automatically generated a pull request to help patch the issue in affected projects, though the company warns that the automated fix may not be comprehensive and could contain errors. Developers are urged to review Vercel's additional guidance before merging any changes. Given the critical severity and the availability of public advisories, organizations running vulnerable React Server Component deployments face immediate pressure to assess their exposure and apply patches or mitigations without delay.