Critical RCE Vulnerability in React Server Components Triggers Patching Wave Across Next.js Ecosystem

A critical remote code execution vulnerability has been identified in React Server Components, affecting applications built on frameworks including Next.js. The flaw stems from insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. The exposure was discovered in the Vercel-hosted project next-js-crud-1doj, prompting automated security advisories and patch deployments across the ecosystem.

The vulnerability is tracked under three coordinated advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel responded by generating automated pull requests for affected projects, though officials cautioned that these patches may not be comprehensive and require manual review before merging. The React team published detailed guidance on December 3, 2025, outlining the scope of the deserialization weakness and recommended mitigations.

Security researchers warn that the flaw represents a high-severity risk given its ability to bypass authentication mechanisms. Organizations running React Server Components in production environments face potential server compromise if unpatched instances remain exposed. The coordinated disclosure across multiple platforms suggests the vulnerability affects a broad attack surface, though the full extent of affected deployments remains under assessment. Developers are urged to review the official advisories, evaluate automated patches for completeness, and apply additional verification measures before deploying fixes to production systems.