Critical Unauthenticated RCE Vulnerability Discovered in React Server Components: CVE-2025-55182 Affects Next.js Deployments

A critical remote code execution vulnerability has been identified in React Server Components, exposing server-side infrastructure to unauthenticated attackers. The flaw stems from insecure deserialization within the React Flight protocol, enabling malicious actors to execute arbitrary code on affected servers without requiring any authentication credentials.

The vulnerability was discovered in the Vercel-hosted project v0-shelf-whiz-website, though the underlying weakness exists in the React Server Components implementation itself, with significant implications for applications built on Next.js and potentially other React-based frameworks. Vercel has automatically generated patch-pull requests for affected repositories, though the company cautions that these automated fixes may not be comprehensive and require manual review before deployment. The security flaw is now tracked under three separate advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478, reflecting the cross-framework impact of the vulnerability.

Organizations running Next.js deployments face immediate patching pressure, as the vulnerability allows complete server compromise without user interaction. Security teams should prioritize reviewing Vercel's guidance documentation and carefully evaluate any automatically generated security patches before merging. The disclosure underscores persistent risks in server-side rendering architectures, where protocol-level deserialization flaws can bypass traditional authentication boundaries. Given the widespread adoption of Next.js in production environments, the potential attack surface remains substantial until patches are comprehensively deployed.