Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments

A critical remote code execution vulnerability has been identified in React Server Components, enabling unauthenticated RCE through insecure deserialization in the React Flight protocol. The flaw was discovered in the ai-sci-buddy project hosted on Vercel, though the underlying weakness in the React framework affects a broader set of deployments using Next.js and similar frameworks that implement Server Components.

The vulnerability is tracked under multiple security advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. These coordinated disclosures indicate the vulnerability affects core React infrastructure rather than a single implementation. Vercel has responded by generating an automatic pull request to patch the affected project, though officials caution the automated changes may not be comprehensive and could contain errors. Developers are advised to review Vercel's guidance before merging any changes.

React and Next.js maintainers have published official security advisories recommending immediate updates to patched versions. The exposure raises risk for any production environment running affected Server Component implementations, as the deserialization flaw could allow an attacker to execute arbitrary code on the server without authentication. The widespread adoption of React Server Components in modern web infrastructure amplifies the potential blast radius beyond the initially identified project.