Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments via Insecure Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, affecting projects built with Next.js and related frameworks. The flaw enables unauthenticated attackers to execute arbitrary code on the server through insecure deserialization within the React Flight protocol. Security advisories tracking the vulnerability include GitHub Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478.

The vulnerability was discovered in the project "digital-closet," hosted on Vercel, though the insecure deserialization flaw exists within the React Server Components implementation itself. This means any application leveraging affected versions of the React Flight protocol could be susceptible to server-side compromise. An automated pull request has been generated to assist with patching efforts, though Vercel cautions that the automated fix may not be comprehensive and could contain errors. Developers are advised to review official guidance before merging any automated security patches.

The exposure raises significant concerns for production deployments relying on React Server Components, particularly in environments where server-side rendering handles sensitive operations or authentication flows. Organizations using Next.js should immediately audit their React and framework dependencies, cross-reference their versions against the published advisories, and apply official patches once available. The presence of automated exploitation tooling in circulation for similar deserialization vulnerabilities suggests this class of flaw could be rapidly weaponized if left unaddressed.