Critical RCE Vulnerability in React Server Components Exposes Next.js and Related Frameworks via Insecure Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, affecting server-side implementations across popular frameworks including Next.js. The flaw resides in insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. Vercel has automatically generated pull requests to assist project maintainers with patching efforts, though the company cautions that automated fixes may not be comprehensive and could contain errors.

The vulnerability impacts the project bersaglierisettimo, which is hosted on Vercel's platform and demonstrates the real-world exposure of this security gap. Security advisories tracking the issue include GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Organizations using React Server Components in production environments are advised to review Vercel's additional guidance before applying any automated patches.

The discovery underscores a persistent attack surface in framework-level serialization mechanisms, where malformed or malicious payload data can trigger code execution paths during server-side rendering operations. Security researchers warn that the vulnerability could be weaponized in supply-chain attacks targeting Node.js ecosystems. Maintainers of affected projects should prioritize auditing their React Flight implementations and ensure that deserialization boundaries are properly constrained until official patches are verified and deployed.