Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Attacks

A critical remote code execution vulnerability in React Server Components has been identified, affecting projects built with frameworks including Next.js. The flaw enables unauthenticated RCE on the server through insecure deserialization in the React Flight protocol, posing significant risk to exposed deployments. Vercel issued an automatic pull request to the affected project nexus4k to assist with patching efforts, though officials cautioned that the automated fix may not be comprehensive and could contain errors.

The vulnerability is tracked under multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The issue specifically targets the mechanism by which React Server Components handle serialized data during server-client communication, creating a potential entry point for attackers who can send crafted requests to vulnerable endpoints. Projects leveraging default configurations or failing to implement additional input validation face elevated exposure.

Security teams are urged to review the linked advisories before merging any automated patches, as Vercel explicitly stated it cannot guarantee the completeness of generated fixes. Organizations running React Server Components in production should prioritize applying official framework updates, auditing serialization logic, and restricting network access to server-side rendering endpoints where possible. The overlap between multiple CVEs across React and Next.js suggests the underlying flaw may propagate across the ecosystem, warranting broader scrutiny beyond individual project dependencies.