Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments

A critical remote code execution vulnerability in React Server Components has been identified in the Next.js deployment linked to the Vercel account pinupdevelopers-projects. The flaw exploits insecure deserialization within the React Flight protocol, enabling unauthenticated RCE on affected servers. This represents a severe risk for any organization running React-based server frameworks in production environments.

The vulnerability has been assigned three separate security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. While Vercel has automatically generated a pull request to patch this vulnerability in the portfolio project, the platform warns that the automated fix may not be comprehensive and could contain errors. Developers are urged to review Vercel's additional guidance before merging any changes.

The discovery adds React Server Components to a growing list of server-side attack surfaces in modern JavaScript frameworks. The insecure deserialization vector is particularly concerning because it can be triggered without authentication, meaning any exposed endpoint processing React Flight payloads becomes a potential entry point. Organizations running Next.js applications should prioritize patching and audit their deployments for any custom configurations that might fall outside the automated fix's scope. Given the widespread adoption of React Server Components in enterprise applications, the implications extend beyond individual projects to broader supply chain security concerns.