Critical RCE Vulnerability in React Server Components Puts Next.js Deployments Under Active Patching Pressure

A critical remote code execution vulnerability has been identified in React Server Components, affecting frameworks including Next.js, with an automated patch response now propagating through exposed deployments. The flaw, tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp and associated with CVE-2025-55182 and CVE-2025-66478, enables unauthenticated remote code execution on servers through insecure deserialization in the React Flight protocol.

The vulnerability was discovered in the Vercel-hosted project aes-web and has triggered an automatic pull request generated by Vercel to assist with patching efforts. The React advisory published on December 3, 2025, outlines the technical specifics of the deserialization weakness that allows attackers to execute arbitrary code without authentication. Next.js, as one of the most widely adopted React frameworks, carries significant exposure across the ecosystem. Organizations using Next.js in server-side configurations face direct risk if unpatched.

Security teams are advised to review the linked React and Next.js advisories before merging any automated changes. Vercel has cautioned that the generated PR may not be comprehensive and could contain errors, urging manual review of the guidance at vercel.link/additional-checks. The dual-CVE disclosure reflects the severity with which both the React core team and Next.js maintainers are treating this flaw. Patching timelines, potential exploitation activity, and second-order impact on downstream deployments remain under close monitoring as the security community responds.