Critical RCE Vulnerability in React Server Components Puts Next.js Deployments Under Active Exploitation Risk

A critical remote code execution vulnerability has been identified in React Server Components, enabling unauthenticated attackers to compromise servers through insecure deserialization in the React Flight protocol. The flaw affects applications built on Next.js and potentially other frameworks leveraging the affected React infrastructure. Security advisories CVE-2025-55182 and CVE-2025-66478, along with GitHub Security Advisory GHSA-9qr9-h5gf-34mp, track the vulnerability across React and Next.js ecosystems respectively.

The exposure was discovered within the Vercel-hosted project ai-app-r1vq, where the vulnerability became actionable before broader patches reached production deployments. Unlike vulnerabilities requiring authentication or user interaction, this flaw permits remote execution without any credentials or social engineering, dramatically lowering the barrier for exploitation. Vercel has automatically generated pull requests targeting affected projects, though the company cautions that automated fixes may be incomplete and require manual review before merging.

The incident raises urgent questions about supply-chain security in server-side JavaScript frameworks. React Server Components execute on the server to enable streaming and server-side data fetching, placing the underlying protocol at a high-value attack surface. Organizations running Next.js deployments should verify their React and framework dependencies against the published advisories, prioritize patching cycles, and monitor for indicators of compromise. The automated nature of the Vercel response underscores both the scalability of modern deployment infrastructure and the risks inherent in rapid, dependency-heavy application development.