Critical RCE Vulnerability in React Server Components Exposes Next.js via Insecure Deserialization

A critical remote code execution vulnerability has been identified in React Server Components, affecting applications built on Next.js and potentially other frameworks. The flaw resides in insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on the server. The vulnerability was detected in the project lallera-festival hosted on Vercel's platform, prompting an immediate automated security response.

The issue is tracked under three separate security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The coordinated disclosure across multiple vendors reflects the protocol-level nature of the flaw, which spans React's core implementation and framework-specific integrations. Vercel has generated an automatic pull request to upgrade affected dependencies in the compromised project, though officials caution that the automated patch may not be comprehensive and could contain errors.

Security administrators are urged to review Vercel's supplemental guidance before merging any automated changes. The vulnerability underscores a broader pattern of deserialization risks in server-side rendering stacks, where unchecked data flows between client and server components can become exploitation vectors. While the automated PR represents an initial remediation step, manual verification and dependency auditing remain essential to ensure complete mitigation across production environments.