Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Server-Side Compromise

A critical remote code execution vulnerability has been identified in React Server Components, enabling unauthenticated attackers to execute arbitrary code on servers through insecure deserialization in the React Flight protocol. The flaw affects projects using React Server Components, including applications built on Next.js and related frameworks.

The vulnerability was discovered in at least one active project, portfolio-nextjs-81e9, hosted on Vercel's platform, though the exposure likely extends to any deployment leveraging vulnerable React Server Components configurations. Security advisories tracking the issue include GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel has begun generating automated pull requests to assist affected projects with patching efforts, though the company cautions that these automated fixes may not be comprehensive and require manual review.

The vulnerability stems from insecure handling of deserialization during the React Flight protocol exchange, where server components transmit data between client and server environments. Attackers can exploit this by crafting malicious payloads that bypass authentication and execute code at the server level. Organizations running affected React Server Components deployments are advised to review available advisories, apply patches promptly, and verify the integrity of server-side request handling. The widespread adoption of Next.js and React Server Components across production environments raises the urgency for coordinated remediation efforts.