Critical RCE Vulnerability in React Server Components Targets Next.js Deployments

A critical remote code execution vulnerability in React Server Components has been identified in the project welth-worx-ai, Vercel warned in an automated security advisory. The flaw enables unauthenticated RCE on the server through insecure deserialization in the React Flight protocol, raising severe risk for applications built on frameworks including Next.js.

The vulnerability is tracked under multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has generated an automated pull request to address the issue, though the company cautioned that the patch may not be comprehensive and urged developers to review additional guidance before merging. The company cannot guarantee the automated fix is complete or free of errors, according to the advisory.

React Server Components leverage the React Flight protocol to stream server-rendered content to the client. The deserialization flaw allows an unauthenticated attacker to inject malicious payloads during this process, potentially executing arbitrary code on the server. Applications relying on Next.js App Router with React Server Components are at elevated risk, particularly those handling sensitive data or integrating with AI workloads. The vulnerability highlights a broader systemic risk: AI-centric projects like welth-worx-ai often depend on modern full-stack frameworks that bundle complex server-side logic, increasing the attack surface when underlying components contain critical flaws. Developers are advised to audit dependencies immediately, apply the proposed patches cautiously, and monitor for indicators of exploitation until a fully verified fix is available.