Vercel Flags Critical RCE Vulnerability in React Server Components via Insecure Deserialization

Security researchers have identified a critical remote code execution vulnerability in React Server Components that enables unauthenticated attackers to execute arbitrary code on affected servers. The flaw stems from insecure deserialization within the React Flight protocol, the mechanism used to stream server component output to clients. The vulnerability carries severe implications for applications built on frameworks that leverage this protocol, particularly Next.js deployments on Vercel's platform.

The issue was discovered in the project "prettiniesnails" hosted on Vercel and has been assigned two coordinated vulnerability identifiers: CVE-2025-55182 under the official React advisory, and CVE-2025-66478 under the Next.js advisory. GitHub's security team tracks the flaw under advisory GHSA-9qr9-h5gf-34mp. The vulnerability allows attackers to exploit the deserialization process during React Flight communication, effectively bypassing authentication mechanisms to run code directly on the server environment. This positions the flaw among the most severe classes of web application vulnerabilities given its remote, unauthenticated attack vector.

Vercel has responded by automatically generating a pull request to patch the vulnerability, though the company cautions that the automated fix may not be comprehensive and advises maintainers to consult additional guidance before merging. Organizations running Next.js or other React Server Component-dependent frameworks are urged to prioritize patching given the availability of public advisories. The coordinated disclosure across React, Next.js, and Vercel suggests active exploitation risk remains elevated until widespread patch adoption occurs.