Critical RCE Vulnerability in React Server Components Enables Unauthenticated Server Execution via Insecure Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, the technology underpinning Next.js and other major JavaScript frameworks. The flaw allows unauthenticated attackers to execute arbitrary code on affected servers by exploiting insecure deserialization within the React Flight protocol. The vulnerability was discovered in the Vercel-hosted project "ukk-2026" and has been assigned multiple tracking identifiers across different advisories.

The security flaw carries three separate CVE designations: CVE-2025-55182 under the official React advisory, CVE-2025-66478 under the Next.js advisory, and GitHub Security Advisory GHSA-9qr9-h5gf-34mp. The attack vector targets the deserialization mechanism in React Flight, a protocol used for streaming server components to clients. Vercel responded by automatically generating a pull request to patch the issue, though the company cautions that the automated fix may not be comprehensive and advises manual review before merging.

The vulnerability represents a significant supply chain risk given React Server Components' widespread adoption across enterprise and production deployments. Organizations running Next.js applications on Vercel or self-hosted infrastructure should prioritize patching, verify their React and Next.js dependency versions, and monitor for the corresponding security advisories. The dual-advisory structure across React and Next.js suggests the flaw potentially extends beyond a single framework implementation, raising questions about the broader exposure of server component architectures.