Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments via Insecure Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, posing a direct threat to applications built on affected frameworks including Next.js. The flaw, discovered in the Vercel-hosted project "agent-world," allows unauthenticated attackers to execute arbitrary code on the server through insecure deserialization within the React Flight protocol. This represents a severe attack vector with potential for full server compromise without requiring any credentials or user interaction.

The vulnerability is tracked under multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has responded by generating automated pull requests to patch affected deployments, though the company cautions that these automated fixes may not be comprehensive and advises developers to conduct additional reviews before merging. The insecure deserialization weakness in React Flight—a protocol used for streaming server component data to clients—creates conditions where malicious serialized data can trigger code execution upon deserialization.

Security teams managing Next.js deployments should treat this as a high-priority patching operation. The exposure is particularly concerning given the widespread adoption of React Server Components in production environments. Beyond applying the automated patches, organizations should verify that their React and Next.js dependencies are fully updated, audit any custom server component implementations for serialization patterns, and monitor for indicators of exploitation attempts. The discovery in a public Vercel project suggests the vulnerability may have been found through external security research rather than internal detection.