Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Attacks

A critical remote code execution vulnerability has been identified in React Server Components, posing a significant threat to applications built on frameworks including Next.js. The flaw enables unauthenticated remote code execution on affected servers through insecure deserialization within the React Flight protocol. Security researchers tracking the exposure have linked it to multiple tracked vulnerabilities, including CVE-2025-55182 (React Advisory) and CVE-2025-66478 (Next.js Advisory), with full technical details documented under GitHub Security Advisory GHSA-9qr9-h5gf-34mp.

The exposure was discovered in the Next.js project maintained by srpconsultinggroup and hosted on Vercel. In response, Vercel has automatically generated a pull request to patch the identified vulnerabilities in the affected repository. However, Vercel has explicitly cautioned that the automated fix cannot be guaranteed as comprehensive and may contain errors. The platform has advised maintainers to carefully review additional guidance before merging any changes, suggesting manual verification of the patch remains necessary to ensure complete remediation.

The vulnerability carries serious implications for production environments relying on React Server Components, as successful exploitation could allow attackers to execute arbitrary code on server infrastructure without authentication. Organizations running affected Next.js deployments should prioritize review of the security advisories and apply verified patches, while monitoring for indicators of compromise. The reliance on automated remediation efforts, combined with acknowledged gaps in their coverage, raises concerns about the broader ecosystem exposure beyond the specific project flagged in this incident.