Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Server Access

A critical remote code execution vulnerability in React Server Components has been identified, enabling unauthenticated attackers to execute arbitrary code on affected servers through insecure deserialization in the React Flight protocol. The flaw impacts applications built with frameworks including Next.js and has prompted automated patch efforts from Vercel for exposed projects.

The vulnerability stems from how the React Flight protocol handles data deserialization, a core mechanism used to stream server components to clients in modern React applications. Security advisories tracking the issue include GitHub Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. The exposure was discovered in the project "avai" hosted on Vercel, suggesting the vulnerability affects a subset of deployments using React Server Components. Vercel has generated automated pull requests to address the flaw, though the company cautions the patches may not be comprehensive and could contain errors, urging developers to review guidance before merging.

The critical severity of this vulnerability places immediate pressure on development teams running Next.js applications to audit their deployments and apply verified patches. React Server Components power a significant portion of contemporary web applications, raising the stakes for organizations that have not yet addressed the flaw. Security teams should monitor official advisory pages from React and Next.js for updated remediation guidance and ensure that any automated fixes undergo thorough testing before deployment to production environments.