Critical RCE Vulnerability Discovered in React Server Components, Next.js Frameworks Under Threat

A critical remote code execution vulnerability has been identified in React Server Components, with implications for applications built on frameworks including Next.js. The flaw enables unauthenticated RCE on servers through insecure deserialization in the React Flight protocol, according to security advisories tracked under CVE-2025-55182 and CVE-2025-66478. The vulnerability was discovered in the project fitness-miniapp-efw3, and automated patches are now being generated to address the exposure.

The security weakness stems from how React Flight handles serialized data during server component streaming. An attacker could exploit this by crafting malicious payloads that, when deserialized by a vulnerable server, execute arbitrary code without requiring authentication. The vulnerability affects any deployment utilizing React Server Components with the affected Next.js versions, creating a significant attack surface across production environments. GitHub Security Advisory GHSA-9qr9-h5gf-34mp provides technical details on the flaw's mechanics.

Developers using Next.js and other React Server Component-compatible frameworks are urged to review the official advisories from React and Next.js before merging any automated pull requests. Security teams should assess their current deployments for exposure and apply patches according to the guidance provided. The discovery underscores ongoing concerns about deserialization vulnerabilities in modern JavaScript build tooling, an area that has seen increased scrutiny as frameworks expand their server-side capabilities.