Critical RCE Vulnerability in React Server Components Exposes Next.js Applications to Server-Side Compromise

A critical remote code execution vulnerability in React Server Components has been identified, affecting applications built with frameworks including Next.js. The flaw enables unauthenticated attackers to execute arbitrary code on the server through insecure deserialization within the React Flight protocol. Vercel has generated an automatic pull request to patch the exposed project 'glossy-design-pos-frontend,' though officials caution the automated fix may not be comprehensive and could contain errors. Users are advised to review Vercel's additional guidance before merging any patches.

The vulnerability is formally tracked across multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The flaw appears to stem from how React Flight handles data serialization between server and client components, creating an attack vector that requires no authentication. The affected project, hosted on Vercel's platform, underscores the risk propagation across managed hosting environments that automatically process React server payloads.

Security teams managing Next.js deployments face immediate pressure to audit their applications for React Server Component usage and apply official patches. The vulnerability's presence in a core React protocol mechanism means the blast radius could extend beyond individual projects to any platform or framework leveraging this architecture. Organizations should prioritize reviewing their dependency trees for vulnerable React versions, monitoring Vercel's security advisories, and implementing defensive controls around deserialization boundaries until comprehensive patches are available and verified.