Critical RCE Vulnerability in React Server Components Tracked Under CVE-2025-55182 Exposes Next.js Applications

A critical remote code execution vulnerability has been identified in React Server Components, with implications extending across major web development frameworks including Next.js. The flaw resides in insecure deserialization handling within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. The vulnerability, tracked under multiple identifiers including CVE-2025-55182 and CVE-2025-66478, was discovered in a production project hosted on Vercel's platform before receiving coordinated disclosure through official security channels.

The issue was detected in the project ac-detailing, operated by developer ac-achen2020-webs-projects. Vercel's security systems generated an automatic pull request to assist with patching efforts, though the company cautioned that automated fixes may not comprehensively address all vulnerable code paths and urged manual review of the proposed changes. The underlying GitHub Security Advisory, designated GHSA-9qr9-h5gf-34mp, confirms that the vulnerability allows server-side code execution without requiring any authentication credentials.

React Server Components represent a significant architectural shift in modern web development, allowing components to execute on the server while maintaining client-side interactivity. The insecure deserialization flaw in the Flight protocol—used to stream component data between server and client—creates a direct attack vector. Developers using Next.js or comparable frameworks built on React's server architecture should prioritize applying official patches immediately. The automated nature of the detection suggests Vercel maintains active scanning for known vulnerability patterns, though the project's exposure before discovery raises questions about deployment-time security validation practices in cloud hosting environments.