Critical RCE Vulnerability in React Server Components Exposes Next.js Servers to Unauthenticated Attacks

A critical remote code execution vulnerability in React Server Components has been identified in the open-source project visio-conf, raising significant security concerns across the JavaScript ecosystem. The flaw resides in insecure deserialization within the React Flight protocol, the mechanism frameworks like Next.js use to transmit component data between server and client environments. Security advisories confirm that unauthenticated attackers can exploit this weakness to execute arbitrary code on affected servers, effectively granting them control over the underlying infrastructure.

The vulnerability is tracked under multiple critical identifiers: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel, whose platform heavily relies on Next.js, responded by automatically generating a patch pull request to assist developers in mitigating the exposure. The project maintainer has been notified, though the automated nature of the fix prompted Vercel to caution that the patch may require manual review before merging.

The vulnerability underscores a recurring risk in serialization-based communication channels, where insufficient validation of incoming data can allow attackers to inject malicious payloads. React Server Components are widely deployed in production environments, meaning any unpatched instance represents a direct entry point for threat actors. Developers using Next.js or related frameworks are urged to apply available patches immediately and audit their deployments for indicators of compromise.