Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Remote Code Execution

A critical remote code execution vulnerability in React Server Components has been identified, posing a significant threat to applications built on affected frameworks, including Next.js. The flaw enables unauthenticated attackers to execute arbitrary code on server infrastructure through insecure deserialization within the React Flight protocol. Vercel has automatically generated a pull request to patch the lecturify-plus project, indicating active exploitation risk for at least one deployment. The vulnerability is tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp and has been assigned CVE identifiers CVE-2025-55182 and CVE-2025-66478 by React and Next.js security teams respectively.

The vulnerability stems from insecure handling of serialized data within the React Flight protocol, which React Server Components rely on to transmit server component outputs to client-side rendering systems. When deserialization safeguards are absent or insufficient, maliciously crafted payloads can trigger arbitrary code execution during the data processing chain. Vercel's automated response targets the lecturify-plus repository specifically, but the underlying flaw affects any application running vulnerable versions of React Server Components and Next.js.

Security researchers warn that the attack surface extends across the broader Next.js ecosystem, as React Server Components have become a foundational architecture in modern React applications. Organizations running affected deployments face pressure to audit their infrastructure and apply patches promptly. The availability of public advisories and proof-of-concept mechanisms typically accelerates active exploitation once details circulate in threat actor communities. The incident also raises questions about supply chain security in JavaScript framework dependencies and the risks associated with serialized data handling at scale.