Critical RCE Vulnerability in React Server Components Enables Unauthenticated Server Takeover via React Flight Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, exposing applications built on Next.js and related frameworks to unauthenticated server-side compromise. The flaw resides in insecure deserialization logic within the React Flight protocol, which handles server-to-client data streaming. Security advisories from React, Next.js, and GitHub all confirm the severity and active exploitation potential of the flaw.

The vulnerability was discovered in the project "vaultx" hosted on Vercel. Security researchers linked the weakness to the way React Flight handles serialized data during server component rendering, creating a direct path for remote attackers to execute arbitrary code without authentication. The flaw affects any deployment relying on vulnerable versions of React Server Components, placing numerous production applications at immediate risk. Vercel has responded by automatically generating a pull request to patch the affected project, though officials caution the automated fix may not be fully comprehensive and require manual review.

The issue is tracked under three official identifiers: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Organizations running Next.js applications with server components enabled are urged to review the linked advisories, apply patches immediately, and audit their React Flight implementations for anomalous deserialization behavior. The disclosure underscores the ongoing risk surface introduced by server-side rendering frameworks, where protocol-level weaknesses can expose entire infrastructure stacks to remote compromise.