Critical RCE Vulnerability in React Server Components Exposes Next.js Applications to Remote Code Execution

A critical remote code execution vulnerability has been identified in React Server Components, with confirmed impact on projects built with Next.js and related frameworks. The flaw resides in insecure deserialization handling within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. The vulnerability first surfaced through security analysis of the ai-clip-maker project hosted on Vercel, prompting an immediate response from the platform's automated patching systems.

The exposure is tracked across three major security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel has automatically generated a pull request for the affected repository to facilitate patching, though the company warns that the automated fix may not be comprehensive and could contain errors. Developers are urged to review Vercel's additional guidance before merging any proposed changes.

The vulnerability represents a significant supply-chain risk given the widespread adoption of Next.js and React Server Components in production environments. Organizations running affected configurations should treat this as a high-priority remediation item, particularly those exposing user-facing applications that process untrusted input through server components. Security teams should audit their dependency trees for vulnerable React and Next.js versions and apply official patches immediately upon release. The intersection of insecure deserialization with a protocol designed for server-to-client data streaming creates a particularly severe attack surface, as exploitation does not require authentication.