Critical RCE Vulnerability in React Server Components Puts Next.js Deployments at Risk

Vercel has issued an automated security patch addressing a critical remote code execution (RCE) vulnerability in React Server Components, with direct implications for applications built on Next.js and related frameworks. The flaw, traced to insecure deserialization within the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on affected servers.

The vulnerability was identified in the production environment of a project identified as "quiz-app" under the Vercel organization "taros-projects-fc7186a2." Tracked across multiple security advisories—GitHub Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478—the issue represents a significant attack surface for any deployment leveraging React Server Components. The React Flight protocol, which handles serialization of server-to-client data streams, contains the deserialization flaw that permits injection of malicious payloads.

Vercel's automated pull request provides an upgrade path to address the exposure, though the company cautions that the patch may not be comprehensive and advises maintainers to review additional guidance before merging. Organizations running Next.js applications with Server Components enabled should prioritize testing and deploying the proposed changes. The coordinated disclosure across React, Next.js, and GitHub security advisories signals a coordinated response to what appears to be an active or imminent threat vector in the JavaScript ecosystem.