Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments via Deserialization Flaw

A critical remote code execution vulnerability has been identified in React Server Components, posing a significant security risk to applications built on Next.js and related frameworks. The flaw, tracked under multiple CVE identifiers including CVE-2025-55182 and CVE-2025-66478, enables unauthenticated server-side code execution through insecure deserialization within the React Flight protocol. GitHub Security Advisory GHSA-9qr9-h5gf-34mp documents the technical specifics of the vulnerability, which allows attackers to execute arbitrary code on affected servers without requiring authentication credentials.

The vulnerability was discovered in the casper-website project hosted on Vercel, prompting the platform to generate an automatic pull request to assist with patching efforts. Vercel has acknowledged that the automated fix may not be comprehensive and advises developers to review additional guidance before merging changes. The React and Next.js teams have both issued advisories addressing the flaw, signaling the severity of the issue across the ecosystem. The React Flight protocol, which facilitates server-to-client data transmission in server components, contains the deserialization weakness that makes this attack vector possible.

Developers using React Server Components and Next.js are urged to apply security patches immediately and verify their implementations against the published advisories. The widespread adoption of these frameworks means the vulnerability potentially affects a large number of production deployments. Security researchers warn that unpatched systems remain exposed to remote exploitation, and organizations should audit their dependency trees to confirm they are running patched versions of React and Next.js.