Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Server Attacks

A critical remote code execution vulnerability has been identified in React Server Components, the technology powering modern web frameworks including Next.js. The flaw stems from insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. Vercel has automatically generated patch pull requests for exposed projects, including at least one deployment under the portfolio identifier associated with the platform.

The vulnerability is tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp, with coordinated disclosures across multiple tracking numbers: React advisory CVE-2025-55182 and Next.js advisory CVE-2025-66478. The issue permits server-side code execution without requiring authentication, making it particularly severe for any deployment exposing React Server Component functionality. Vercel's automated response system detected the vulnerable project configuration and initiated remediation efforts, though the platform cautions that the generated patches may not be comprehensive and advises manual review before merging.

Security teams maintaining Next.js applications or other React Server Component implementations should prioritize patching efforts. The attack surface includes any endpoint leveraging the React Flight protocol for server-to-client data transmission. Organizations using Vercel should monitor their dashboards for automated security PRs related to this advisory. The coordinated disclosure between Vercel, React, and Next.js security teams suggests active exploitation risk, though public proof-of-concept details remain limited pending widespread patch adoption.