Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments via Insecure Deserialization

A critical remote code execution vulnerability in React Server Components has been identified, enabling unauthenticated attackers to execute arbitrary code on affected servers through insecure deserialization in the React Flight protocol. The flaw impacts applications built with frameworks that utilize React Server Components, including the widely deployed Next.js platform. Vercel's automated systems flagged the vulnerability during routine security analysis, generating a patch-pull request for the affected project "quality-standards-webpage" before the issue could be exploited at scale.

The vulnerability stems from insecure deserialization handling within the React Flight protocol, a mechanism that transfers component data between server and client environments. Security researchers traced the flaw to GitHub Security Advisory GHSA-9qr9-h5gf-34mp, which has since been assigned multiple tracking identifiers across major advisory databases. The React team published CVE-2025-55182 documenting the technical specifics, while the Next.js project released companion advisory CVE-2025-66478 addressing framework-specific remediation steps. The existence of parallel advisories indicates the issue spans multiple layers of the technology stack, complicating the patching process for developers.

Security teams are urged to review their React Server Components implementations immediately and apply available patches before merging any automated pull requests from hosting platforms. Organizations using Next.js deployments on Vercel or self-hosted infrastructure face potential exposure if they operate with unpatched versions of the affected components. The proliferation of React Server Components across modern web frameworks suggests the attack surface extends well beyond Next.js alone, raising concerns about supply chain cascading effects if the vulnerability is actively exploited in the wild.