Critical RCE Vulnerability in React Server Components Exposes Next.js Applications to Remote Code Execution

A critical remote code execution (RCE) vulnerability has been identified in React Server Components, with documented impact on applications built with Next.js and potentially other frameworks leveraging the React Flight protocol. The flaw stems from insecure deserialization, enabling unauthenticated attackers to execute arbitrary code on affected servers. The issue is tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, with corresponding disclosures at CVE-2025-55182 (React) and CVE-2025-66478 (Next.js).

The exposure was discovered in the project "movie-scout," hosted on Vercel's platform, though the vulnerability likely affects a broader population of applications using React Server Components in server-side rendering configurations. Vercel has automatically generated pull requests for detected projects to assist with patching efforts, though the company cautions that automated fixes may not be comprehensive and advises manual review before merging any proposed changes.

Security teams managing applications built on vulnerable versions of Next.js should prioritize upgrading to patched releases and auditing server-side component rendering configurations. The vulnerability's presence in the React Flight protocol—a core mechanism for server-to-client component streaming—suggests that any application leveraging this functionality with unsanitized user input may be at risk. Given the severity rating and ease of exploitation, the exposure warrants immediate attention in production environments.