Critical RCE Vulnerability in React Server Components Triggers Emergency Vercel Patch Across Next.js Ecosystem

A critical remote code execution vulnerability in React Server Components has been identified in the open-source project cosmosai, prompting Vercel to generate an automated pull request for patching. The flaw resides in insecure deserialization within the React Flight protocol, potentially enabling unauthenticated attackers to execute arbitrary code on affected servers. Multiple security advisories have been published tracking this issue, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478.

The vulnerability specifically impacts frameworks that leverage React Server Components, with Next.js being among the most widely affected. Security researchers discovered that the insecure deserialization path in the React Flight protocol can be exploited without authentication, raising the severity rating significantly. Vercel's automated response suggests active exploitation may be possible in unpatched environments, though the company cautions that the generated patch may not be comprehensive and requires manual review before merging.

Organizations running Next.js or other React-based frameworks that utilize Server Components are advised to immediately assess their exposure and apply security updates. The cross-advisory tracking indicates this is a coordinated disclosure involving multiple stakeholders in the React ecosystem. Developers are urged to consult the official Vercel guidance and individual framework advisories for complete remediation steps, as partial patches may leave residual attack surface.