Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Remote Code Execution

Vercel has issued an automated security patch addressing a critical remote code execution vulnerability in React Server Components, specifically targeting projects built with frameworks including Next.js. The flaw, tracked under multiple security advisories, enables unauthenticated RCE on affected servers through insecure deserialization within the React Flight protocol. The vulnerability was identified in the production project seikyuun, operated by o3c-progs-projects on the Vercel platform.

The weakness exploits the React Flight protocol's handling of serialized data during server component streaming, allowing attackers to execute arbitrary code without authentication credentials. The issue is documented across three official advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel has generated an automatic pull request to patch the vulnerability, though the company cautions that the automated fix may not be comprehensive and could contain errors, urging developers to review official guidance before merging.

The incident raises broader concerns about supply-chain security in framework-level dependencies, where a single protocol-level vulnerability can cascade across thousands of deployments. Security teams managing Next.js applications are under pressure to assess exposure, validate the automated patch, and confirm whether additional manual remediation is required. The situation remains developing as the React and Next.js security teams continue coordinated disclosure efforts.