Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Server Attacks

A critical remote code execution vulnerability has been identified in React Server Components, placing applications built on Next.js and related frameworks at severe risk. Tracked under CVE-2025-55182, CVE-2025-66478, and GitHub Security Advisory GHSA-9qr9-h5gf-34mp, the flaw enables unauthenticated attackers to execute arbitrary code on affected servers through insecure deserialization within the React Flight protocol.

The vulnerability specifically targets the serialization mechanism used in React Server Components to communicate between server and client environments. Attackers can exploit this deserialization process without requiring any authentication, making the attack surface immediately accessible to any malicious actor capable of reaching the affected endpoint. Vercel, which hosts numerous Next.js deployments, has already generated automated pull requests to patch the flaw in exposed projects, though officials caution these patches may not be comprehensive and require manual review before merging.

The exposure raises significant concerns for enterprises and developers relying on React Server Components for production applications. React and Next.js maintainers have published separate advisories detailing the vulnerability and recommended remediation steps. Organizations should immediately audit their deployments, prioritize patching efforts, and verify that automated dependency upgrades do not introduce regressions. The incident underscores persistent risks in server-side rendering architectures where client-controllable data flows into deserialization pipelines without sufficient validation safeguards.