Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Server-Side Attacks

A critical remote code execution vulnerability has been identified in React Server Components, enabling unauthenticated attackers to execute arbitrary code on the server through insecure deserialization in the React Flight protocol. The flaw impacts applications built with frameworks such as Next.js, raising serious concerns for organizations relying on server-side rendering architectures.

The vulnerability was discovered in a deployed Next.js project on Vercel, specifically the chat-app-next-25 project. Vercel's security systems automatically generated a patch pull request to address the flaw, though the company acknowledged that the automated fix may not be comprehensive and could contain errors. The issue is tracked under three separate security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The advisories recommend that developers review Vercel's guidance before merging any automated changes and conduct additional security checks.

The React Flight protocol serves as a critical communication channel for transmitting component data between server and client in React Server Components implementations. The insecure deserialization flaw in this pathway creates a direct attack vector that bypasses authentication mechanisms entirely. Security researchers warn that any internet-facing Next.js deployment using server components could be vulnerable if running affected versions. Organizations are urged to audit their deployments immediately, apply official patches from React and Next.js, and monitor for indicators of exploitation.

The simultaneous release of advisories across React, Next.js, and GitHub indicates a coordinated disclosure effort, suggesting the vulnerability has been known to affected vendors for some time. However, the automated patch approach by Vercel underscores the urgency of addressing this flaw before widespread exploitation occurs.