Critical RCE Vulnerability in React Server Components Exposes Next.js Applications to Remote Attack

A critical remote code execution vulnerability has been identified in React Server Components, posing a severe security risk to applications built on frameworks including Next.js. The flaw enables unauthenticated attackers to execute arbitrary code on affected servers by exploiting insecure deserialization within the React Flight protocol. Security researchers linked the vulnerability to the nexa-ai-dev-api project hosted on Vercel, triggering one of the most significant patch deployments in recent React ecosystem history.

The weakness was discovered and disclosed through coordinated security channels, generating multiple tracked advisories. GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478 all reference the same underlying flaw. Vercel responded by automatically generating pull requests for affected projects to assist developers with patching efforts, though the company cautioned that the automated fixes may not be comprehensive and require manual review before merging.

The vulnerability represents a systemic risk across the React server components ecosystem due to the protocol's widespread adoption in production applications. Security teams are urged to prioritize applying patches, audit server-side request handling, and monitor for indicators of exploitation attempts. The incident underscores persistent risks in server-side rendering architectures where deserialization of untrusted data occurs without adequate validation.