Critical RCE Vulnerability in React Server Components Poses Risk to Next.js Deployments

A critical remote code execution vulnerability has been identified in React Server Components, with direct implications for projects built on Next.js and potentially other affected frameworks. The flaw resides in insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on vulnerable servers. The issue surfaced during security review of the "new-frontend-nxqf" project hosted on Vercel's platform.

The vulnerability is tracked under three separate security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel has responded by automatically generating a pull request to patch the flaw in the affected project, though officials caution that the automated fix may not be comprehensive and could contain errors. Users are directed to review Vercel's supplementary guidance before merging any patches.

The discovery escalates security concerns across the React ecosystem, particularly for organizations operating Next.js applications in production environments. React Server Components have become a foundational architecture for modern full-stack JavaScript applications, meaning successful exploitation could grant attackers persistent access to backend infrastructure. Security teams are advised to assess their dependency trees, verify their React and Next.js versions, and apply official patches immediately upon release. The overlap between multiple CVEs suggests the vulnerability has independent confirmation from both Meta's React team and the Next.js core maintainers.