Critical RCE Vulnerability Discovered in React Server Components; Automated Patch Released for Next.js and Vercel Projects

A critical remote code execution (RCE) vulnerability has been identified in React Server Components, the technology powering popular full-stack JavaScript frameworks including Next.js. The flaw, found in the open-source project datamind-ai hosted on Vercel, allows unauthenticated attackers to execute arbitrary code on the server through insecure deserialization within the React Flight protocol. The vulnerability affects any application leveraging React Server Components without proper input sanitization, placing thousands of production deployments at potential risk.

The issue is tracked across multiple official security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. In response, Vercel has automatically generated a pull request targeting the affected datamind-ai repository to patch the vulnerable dependencies. However, Vercel has explicitly warned that the automated fix cannot be guaranteed as comprehensive and may contain errors. Developers are urged to review the provided guidance before merging any changes.

The disclosure underscores persistent risks in server-side JavaScript rendering pipelines, where deserialization vulnerabilities can provide direct server access to threat actors. Security teams should audit all React Server Components implementations, verify dependency versions against the linked advisories, and apply manual verification to any automated patches. The vulnerability's existence in a widely adopted protocol layer suggests potential exposure beyond the initially identified project, prompting calls for broader ecosystem-wide assessment.