Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments via Insecure Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, affecting production deployments across frameworks including Next.js. The flaw resides in insecure deserialization logic within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. Vercel has automatically generated patching pull requests for exposed projects, including the affected repository matger2, though the company warns the automated fixes may be incomplete and require manual review before merging.

The vulnerability is tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, with corresponding disclosures from the React team (CVE-2025-55182) and Next.js maintainers (CVE-2025-66478). The attack vector targets the React Flight protocol, which handles serialization of server-to-client data streams in component frameworks. Exploitation requires no authentication, making internet-facing Next.js deployments particularly exposed. Organizations running Next.js applications on Vercel or self-hosted infrastructure should treat any unpatched instance as actively vulnerable.

Security teams are advised to prioritize review of the official Vercel guidance before applying automated patches, as the generated PRs may contain gaps or conflicts with custom configurations. The incident underscores ongoing risks in server component architectures where deserialization boundaries intersect with untrusted input streams. Patching timelines and potential exploitation activity in the wild remain under monitoring.