Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Server Attacks

A critical remote code execution vulnerability has been identified in React Server Components, with implications for applications built on Next.js and other frameworks using the React Flight protocol. The flaw enables unauthenticated RCE on affected servers through insecure deserialization, making it a high-severity security risk for any deployment relying on these components. Vercel issued an automatic pull request to patch the vulnerability after discovering it in the project americantravelconsulting, signaling that the issue affects real-world production environments.

The vulnerability is tracked under multiple security advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The attack vector leverages insecure deserialization within the React Flight protocol, which handles server-to-client data streaming in component-based frameworks. This means any application using affected versions of React Server Components could potentially allow remote attackers to execute arbitrary code without authentication or user interaction. Vercel has acknowledged that its automated patch generation may not be comprehensive and urges developers to review additional guidance before merging.

The disclosure raises significant concerns for the broader ecosystem of React-based frameworks, as React Server Components power a substantial portion of modern web deployments. Security teams are advised to audit their applications for the use of vulnerable React Server Components implementations, prioritize patching, and monitor for indicators of exploitation. While the full scope of affected deployments remains under assessment, the severity of remote code execution vulnerabilities combined with their unauthenticated nature typically warrants immediate attention and remediation efforts.