Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Server Attacks

A critical remote code execution vulnerability has been identified in React Server Components, the server-side rendering architecture powering frameworks including Next.js. The flaw, tracked under multiple security advisories, enables unauthenticated attackers to execute arbitrary code on affected servers through insecure deserialization within the React Flight protocol. The Vercel-hosted project novadrive is among those confirmed as impacted by the exposure.

The vulnerability is formally catalogued across three coordinated advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel has automatically generated a pull request to patch the issue within the affected repository, though the company cautions that automated fixes may not be comprehensive and manual review is recommended before merging.

React Server Components have become a foundational element in modern JavaScript deployment pipelines, meaning the attack surface extends across any organization relying on affected framework versions. Successful exploitation would grant adversaries persistent access to server environments, with potential consequences including data exfiltration, supply chain compromise of deployed applications, and lateral movement within cloud infrastructure. Security teams are urged to prioritize patching, verify framework versions against the advisory affected ranges, and monitor for indicators of exploitation given the critical severity and public disclosure of technical details.