Critical RCE Vulnerability in React Server Components Exposes Next.js Applications via Insecure Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, posing a significant threat to applications built with affected frameworks including Next.js. The flaw, traced to insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on server infrastructure. Security advisories tracking the vulnerability include GitHub Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478.

The vulnerability was initially discovered in the Vercel-hosted project copyguard-demo5-3fo7, suggesting that production deployments on the platform face direct exposure. The attack vector targets the React Flight protocol, which handles serialization between server and client components in modern React applications. Unlike vulnerabilities requiring authentication or user interaction, this flaw can be exploited by any external party with network access to a vulnerable endpoint. Vercel has responded by generating automated pull requests to assist affected projects with patching efforts, though officials caution that the automated fixes may not be comprehensive and require manual review before merging.

The disclosure raises serious concerns for the broader Next.js ecosystem, which powers a substantial portion of production web applications globally. Development teams utilizing React Server Components should prioritize reviewing Vercel's patch guidance and auditing their deployments for exposure. Security researchers warn that proof-of-concept exploitation could emerge rapidly given the severity of the flaw and the widespread adoption of affected frameworks. Organizations are advised to implement the provided patches immediately and monitor for unusual server-side activity that may indicate attempted exploitation.