Critical RCE Vulnerability in React Server Components Enables Server-Side Code Execution via Flight Protocol

A critical remote code execution vulnerability has been identified in React Server Components, affecting frameworks including Next.js and exposing servers to unauthenticated remote code execution through insecure deserialization in the React Flight protocol. The flaw was discovered in the Vercel-hosted project 'taku', triggering immediate attention from security teams across the React ecosystem.

The vulnerability carries multiple official tracking identifiers: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has responded by generating an automated pull request designed to assist with patching efforts. However, the company acknowledges that the automated fix may not be comprehensive and could contain errors, urging developers to review their guidance documentation before merging any changes into production environments.

The critical nature of this flaw stems from its ability to allow unauthenticated attackers to execute arbitrary code on affected servers, making it particularly dangerous for production deployments. Organizations running React Server Components implementations should treat this as a high-priority patching operation. The presence of automated remediation tools from Vercel signals an attempt to accelerate the response timeline, but manual security review remains essential given the acknowledged limitations of the automated patch.