Critical RCE Vulnerability in React Server Components Triggers Mass Patching Wave Across Next.js Ecosystem

A critical remote code execution vulnerability has been identified in React Server Components, exposing applications built on frameworks including Next.js to unauthenticated server-side attacks. The flaw resides in insecure deserialization within the React Flight protocol, enabling threat actors to execute arbitrary code on affected servers without credentials. Security advisories tracking the issue include GHSA-9qr9-h5gf-34mp on GitHub, CVE-2025-55182 for React, and CVE-2025-66478 for Next.js.

The vulnerability was detected in the production environment of the tls-website project managed by prakasa-group on Vercel's platform. In response, Vercel automatically generated a pull request to patch the affected dependencies, though the company cautions that the automated fix may not be comprehensive and urges maintainers to review additional guidance before merging. This highlights the ongoing challenge of securing server-side rendering infrastructure against deserialization attacks, which remain a persistent attack vector in modern JavaScript ecosystems.

The incident raises pressure across the developer community and enterprise organizations relying on Next.js and similar meta-frameworks for production workloads. Security teams are advised to audit deployments for React Server Components usage, verify whether automated patches have been applied, and assess whether any anomalous server behavior may indicate exploitation attempts. The coordinated disclosure across multiple platforms—GitHub, React.dev, and Nextjs.org—suggests a structured response to what the ecosystem considers a significant threat surface.