Critical RCE Vulnerability in React Server Components: CVE-2025-55182 Exposes Next.js Servers to Remote Code Execution

A critical remote code execution vulnerability in React Server Components has been identified, posing severe risk to applications built on Next.js and other frameworks leveraging the React Flight protocol. The flaw, tracked as CVE-2025-55182, enables unauthenticated attackers to execute arbitrary code on affected servers through insecure deserialization—a class of attack that allows malicious payloads to be reconstructed and executed once they reach a vulnerable endpoint.

The vulnerability was discovered in the project "music" hosted on Vercel, though the underlying weakness affects the React Server Components implementation broadly. Security advisories have been issued across multiple platforms: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, the official React advisory, and Next.js advisory CVE-2025-66478. Vercel has responded by generating automated pull requests for affected projects to patch the vulnerability, though officials caution that these automated fixes may not be comprehensive and require manual review before merging.

The attack vector exploits the React Flight serialization mechanism, which handles data transfer between server and client components. When deserialization processes are insufficiently validated, attackers can craft payloads that deserialize into executable code. Organizations running Next.js applications should treat any unpatched RSC implementation as actively exploitable, prioritize emergency patching cycles, and verify that automated CI/CD security gates are not approving vulnerable dependency versions. The disclosure underscores ongoing risks in server-side JavaScript rendering architectures where client-controlled data meets server-side execution contexts.