Critical React Server Components Deserialization Flaw Triggers Emergency Patch Across Next.js Ecosystem

A critical remote code execution vulnerability in React Server Components has been identified and assigned multiple tracking identifiers across major security advisories. The flaw, rooted in insecure deserialization within the React Flight protocol, enables unauthenticated RCE on affected servers. Security advisories have been issued through GitHub (GHSA-9qr9-h5gf-34mp), the React project (CVE-2025-55182), and Next.js (CVE-2025-66478), reflecting the severity of the exposure across the ecosystem.

The vulnerability surfaced during security review of a Vercel-hosted project named "marketing" belonging to a user identified as "zafars-projects." Vercel responded by automatically generating a pull request to patch the flaw, though the company cautioned that the automated fix may not be comprehensive and urged manual review before merging. The flaw impacts frameworks that rely on React Server Components and the React Flight protocol for server-side rendering and data streaming, with Next.js being among the most widely affected.

The incident raises pressure on development teams using Next.js and related frameworks to audit their deployments, apply patches, and verify their React Flight implementations. Security researchers have flagged insecure deserialization as a persistent class of vulnerability in JavaScript ecosystems due to the complexity of serialized state handling across server-client boundaries. Organizations are advised to monitor official advisory channels from Vercel, Next.js, and React for updates and to review Vercel's additional guidance before deploying any automated security patches.