Critical RCE Vulnerability in React Server Components Exposes Next.js Apps to Unauthenticated Attacks

A critical remote code execution vulnerability has been discovered in React Server Components, enabling unauthenticated attackers to execute arbitrary code on servers through insecure deserialization in the React Flight protocol. The flaw, tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, represents one of the most severe security issues to affect the React ecosystem, directly threatening any application leveraging server-side rendering through React Server Components.

The vulnerability exploits the React Flight protocol's deserialization mechanism, allowing malicious payloads to trigger remote code execution without requiring authentication. Frameworks built on React Server Components, most notably Next.js, are directly impacted. GitHub Security Advisory GHSA-9qr9-h5gf-34mp documents the technical scope, while Vercel has begun automatically generating pull requests to assist developers in identifying and patching affected projects. The automated detection has already flagged live deployments, including at least one production portfolio site, indicating the vulnerability exists in real-world applications currently online.

The discovery raises urgent concerns for the broader React and Next.js ecosystem, where server-side rendering has become a standard architectural pattern. Developers using React Server Components or Next.js should immediately review the official advisories and apply patches. Vercel's automated patching system, while helpful, explicitly warns it may not be comprehensive and could contain errors, placing the onus on development teams to verify fixes. The vulnerability underscores the security risks inherent in server-side deserialization and may prompt renewed scrutiny of the React Flight protocol's design as adoption of React Server Components continues to grow.