Critical RCE Vulnerability in React Server Components Exposes Next.js Servers via Deserialization Flaw

A critical remote code execution vulnerability has been identified in React Server Components, affecting applications built with frameworks including Next.js. The flaw resides in insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. Vercel has automatically generated a patch pull request for the exposed project `react-projects-boule-turnering`, though the company warns the fix may not be comprehensive and requires manual review before deployment.

The vulnerability is tracked across multiple security advisories. GitHub has published advisory GHSA-9qr9-h5gf-34mp, while React maintains its own disclosure under CVE-2025-55182. Next.js, one of the most widely deployed frameworks using React Server Components, issued its corresponding advisory CVE-2025-66478. The convergence of these three separate vulnerability tracking systems indicates the severity of the flaw's reach across the ecosystem. Organizations using React Server Components in production should treat this as an urgent patching priority.

The Vercel-generated patch mechanism highlights growing automation in vulnerability response for serverless and edge-deployed applications. However, security teams are advised to consult Vercel's additional guidance before merging automated changes, as the company explicitly states it cannot guarantee the patches are comprehensive or free of errors. This case underscores the persistent challenge of securing the supply chain in modern JavaScript frameworks, where deserialization vulnerabilities can cascade across multiple abstraction layers from protocol implementation to deployed applications.