Critical RCE Vulnerability in React Server Components Exposes Next.js to Server-Side Attacks

A critical remote code execution vulnerability has been identified in React Server Components, the technology powering popular frameworks including Next.js. The flaw enables unauthenticated attackers to execute arbitrary code on affected servers, representing a severe threat to applications built on this widely deployed architecture. Vercel has automatically generated pull requests to assist affected projects with patching efforts.

The vulnerability stems from insecure deserialization within the React Flight protocol, which handles data transmission between server and client components. Security advisories tracking this issue include GitHub Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. At least one project—hosted under the identifier muntasir-mamun—has been confirmed as impacted. The attack vector requires no authentication, meaning any publicly accessible Next.js deployment running vulnerable RSC configurations faces potential exploitation.

Developers using Next.js and other React Server Component frameworks should immediately review Vercel's automated patch guidance and apply security updates before merging. The broad adoption of Next.js across enterprise and startup environments means this vulnerability carries significant systemic risk. Organizations should audit their deployment pipelines, verify their current framework versions against the published CVE criteria, and implement the official patches as priority updates. Until patches are applied, affected servers should be treated as potentially compromised given the unauthenticated nature of the exploit path.