Critical RCE Vulnerability in React Server Components Enables Unauthenticated Server Code Execution

A critical remote code execution vulnerability in React Server Components has been identified, affecting frameworks including Next.js and potentially other RSC-based implementations. The flaw resides in insecure deserialization within the React Flight protocol, enabling unauthenticated remote code execution on vulnerable servers. GitHub Security Advisory GHSA-9qr9-h5gf-34mp tracks the vulnerability, which has been assigned CVE-2025-55182 in the React ecosystem and CVE-2025-66478 specifically for Next.js environments.

The exposure was discovered in the project groupe-bnsb hosted on Vercel, where an automated pull request has been generated to patch the vulnerable codebase. The vulnerability allows attackers to execute arbitrary code on the server without requiring any authentication credentials. React Server Components leverage the React Flight protocol to serialize and transmit component data between server and client contexts, and the deserialization process in this workflow contains the critical flaw that enables remote code execution.

Organizations running Next.js applications or other React Server Component implementations should immediately review their dependencies and apply available security patches. The Vercel-generated automated PR represents an initial remediation step for affected projects, though comprehensive patching across all dependent packages and production environments remains necessary. Security teams are advised to audit server-side rendering implementations for potential exposure to untrusted input that could exploit this deserialization vulnerability.