Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments

A critical remote code execution vulnerability in React Server Components has been identified in a Vercel-hosted project, prompting an automated emergency response. The flaw, tracked under multiple security advisories including CVE-2025-55182 and CVE-2025-66478, exploits insecure deserialization within the React Flight protocol. Vercel has generated an automatic pull request to patch the affected blog-app deployment, though officials warn the fix may not be comprehensive.

The vulnerability enables unauthenticated remote code execution on servers running React Server Components through frameworks such as Next.js. GitHub Security Advisory GHSA-9qr9-h5gf-34mp documents the flaw, which targets the serialization mechanism in React Flight. While Vercel's automated PR aims to address the issue, the company acknowledges it cannot guarantee the patch is complete and urges developers to review additional guidance before merging.

Security teams deploying React Server Components should treat this as a high-priority remediation. The scope of affected applications beyond the identified blog-app project remains unclear, and the effectiveness of automated patching against all potential attack vectors warrants careful evaluation. Organizations using Next.js or related frameworks should monitor official advisories from Vercel, React, and Next.js for further updates on containment and complete patch availability.