Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments via Deserialization Flaw

A critical remote code execution vulnerability has been identified in React Server Components, with documented impact on production deployments using frameworks including Next.js. The flaw enables unauthenticated RCE on affected servers through insecure deserialization within the React Flight protocol. Security advisories tracking the issue include GitHub Advisory GHSA-9qr9-h5gf-34mp, along with assigned identifiers CVE-2025-55182 and CVE-2025-66478.

The vulnerability was discovered in the Vercel-hosted project portfolio-ameet, operated by developer ameet-kumar-mishra. In response, Vercel has automatically generated pull requests targeting the affected repository to assist with patching efforts. The company has acknowledged that automated fixes may not be comprehensive and advises maintainers to review additional guidance before merging. The React core team published dedicated vulnerability documentation on December 3, 2025, confirming the critical severity classification.

The flaw represents a significant supply chain risk given the widespread adoption of Next.js and React Server Components across production web infrastructure. Organizations running affected versions face potential server compromise without requiring authentication. Security teams should prioritize auditing deployments, reviewing the official React and Next.js advisories, and applying patches or mitigations immediately. The incident underscores persistent deserialization risks in frameworks that serialize and deserialize component data across server-client boundaries.