Critical RCE Vulnerability in React Server Components Puts Next.js Deployments at Risk

A critical remote code execution (RCE) vulnerability has been identified in React Server Components, enabling unauthenticated attackers to execute arbitrary code on the server through insecure deserialization in the React Flight protocol. The flaw impacts applications built on frameworks including Next.js, raising urgent security concerns across the ecosystem. An automated pull request generated by Vercel is now available to assist developers in patching the exposure.

The vulnerability was discovered in the scrollodex project hosted on Vercel's platform and is tracked under multiple coordinated security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. The insecure deserialization flaw in the React Flight protocol allows attackers to craft malicious payloads that execute server-side code without authentication. Vercel has automatically generated a pull request targeting this issue, though the company cautions that it may not be fully comprehensive and advises manual review of their additional guidance before merging.

Security teams managing Next.js deployments or other React Server Components-based frameworks should treat this as a high-priority patching exercise. The availability of public CVE identifiers suggests the vulnerability details may become widely known, increasing the risk of exploitation against unpatched systems. Organizations are urged to evaluate the automated patch, cross-reference it against React and Next.js official advisories, and apply remediation without delay. Continued monitoring of the GitHub Security Advisory and framework-specific channels is recommended as the situation develops.