Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Projects to Remote Code Execution

A critical remote code execution vulnerability has been identified in React Server Components, creating significant security exposure across projects built on affected frameworks including Next.js. The flaw, tied to insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. The vulnerability impacts the project "intuartha" hosted on Vercel, though the underlying issue affects the broader React Server Components ecosystem.

The security flaw is tracked across multiple advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has automatically generated a pull request to patch the issue in the affected project, though the company acknowledged in its disclosure that the automated fix cannot be guaranteed comprehensive and may contain errors. The company advised project maintainers to review additional guidance before merging the proposed changes.

Security researchers warn the vulnerability creates a high-risk attack surface for any application leveraging React Server Components with exposed server-side rendering endpoints. The insecure deserialization vector is particularly concerning because it can be exploited without authentication, meaning attackers do not need valid credentials or user interaction to execute malicious code. Organizations running Next.js deployments on Vercel or other platforms are urged to prioritize patching, verify the integrity of server-side request handling, and monitor for indicators of exploitation given the severity of the flaw.