Critical RCE Vulnerability Disclosed in React Server Components via Insecure Deserialization in React Flight Protocol

A critical remote code execution vulnerability has been identified in React Server Components, enabling unauthenticated RCE on affected servers through insecure deserialization within the React Flight protocol. The flaw impacts popular frameworks including Next.js, raising immediate security concerns for organizations deploying these technologies in production environments.

The vulnerability was discovered in a Vercel-hosted project and is now tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp. Security advisories have been issued across multiple platforms: React Advisory CVE-2025-55182 and Next.js Advisory CVE-2025-66478. Vercel has automatically generated patch pull requests for affected projects, though the company cautions that these automated fixes may not be comprehensive and could contain errors. Developers are advised to review Vercel's additional guidance before merging any changes.

The attack vector exploits the React Flight protocol's deserialization mechanism, which handles server-to-client data transfer in component hierarchies. Unlike vulnerabilities requiring authentication or user interaction, this flaw permits remote code execution without any credentials, significantly escalating its severity. Organizations running Next.js or similar React Server Component frameworks should prioritize patching and conduct audits of their current deployments. The disclosure comes amid growing scrutiny of server-side rendering security models, where the boundary between trusted server operations and untrusted client input remains a persistent challenge.