Critical RCE Vulnerability in React Server Components Enables Unauthenticated Server Attacks on Next.js Applications

A critical remote code execution vulnerability has been identified in React Server Components, affecting applications built with frameworks including Next.js. The flaw resides in insecure deserialization within the React Flight protocol and enables unauthenticated attackers to execute arbitrary code on affected servers. This represents a severe security risk given the widespread adoption of these technologies in production web environments.

The vulnerability was discovered during a security audit of the "zain-builds" project hosted on Vercel's platform. Three separate advisories now track this flaw across the affected ecosystem: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. In response, Vercel has automatically generated pull requests to patch the vulnerable project, though officials acknowledge these automated fixes may be incomplete and could contain errors. The company has urged maintainers to review its published guidance before merging any changes.

The discovery underscores persistent risks in server-side rendering frameworks, where client-facing server components process untrusted input. Organizations running React Server Components should immediately consult the linked advisories, assess their exposure, and apply comprehensive patches rather than relying solely on automated updates. Security teams are advised to treat this as a high-priority remediation given the unauthenticated nature of the attack vector and the potential for complete server compromise.