Critical RCE Vulnerability Found in React Server Components; Next.js Projects Under Security Advisory

A critical remote code execution vulnerability has been identified in React Server Components, raising significant security concerns across the JavaScript framework ecosystem. The flaw, discovered in a project hosted on Vercel, enables unauthenticated remote code execution on affected servers through insecure deserialization within the React Flight protocol. Security researchers warn that the vulnerability could allow attackers to execute arbitrary code without credentials, potentially compromising entire application infrastructures.

The vulnerability specifically impacts frameworks that utilize React Server Components, with Next.js identified as a primary affected platform. Vercel's automated systems generated a pull request to assist with patching efforts for the compromised project, "yunsa-philosopher-atlas," operated by user chocoeye31-7392s-projects. However, officials caution that the automated fix may not be comprehensive and could contain errors. The security flaw is tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, along with corresponding disclosures CVE-2025-55182 for React and CVE-2025-66478 for Next.js. Developers are urged to review official guidance before applying any patches.

The discovery adds React Server Components to the list of high-severity attack surfaces within the modern web development stack. Security teams managing production deployments built on affected frameworks should prioritize vulnerability assessment and apply vendor-recommended mitigations. The incident underscores persistent risks in server-side rendering pipelines, where deserialization of untrusted data can create critical entry points for adversaries. Vercel has published additional security checks for teams evaluating the auto-generated patches.