## Critical RCE Vulnerability in React Server Components Exposes Next.js, Vercel Projects
A critical remote code execution (RCE) vulnerability has been identified within React Server Components, directly impacting major frameworks like Next.js and projects hosted on platforms such as Vercel. The flaw, rooted in insecure deserialization in the React Flight protocol, enables unauthenticated attackers to execute arbitrary code on the server. This is not a theoretical risk; it was actively identified in the live project 'ngan-ha-web-booking' on Vercel, demonstrating immediate exploitability.

The vulnerability is formally tracked under multiple high-severity advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React's CVE-2025-55182, and Next.js's CVE-2025-66478. The core issue allows malicious actors to bypass authentication and achieve server-side RCE, posing a severe threat to any application built with the affected React Server Components architecture. Vercel has initiated automated patching efforts, issuing pull requests to vulnerable repositories, but explicitly warns that its automated fixes may not be comprehensive and could contain errors.

The discovery places immense pressure on development teams using Next.js and React Server Components to urgently review and apply security patches. The public advisories from React, Next.js, and GitHub signal coordinated disclosure and highlight the widespread risk. Organizations must manually verify the automated patches and conduct additional security checks, as recommended by Vercel's guidance. Failure to address this vulnerability promptly risks widespread server compromise across countless web applications reliant on this modern React architecture.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, react, nextjs, vercel
- **Credibility**: unverified
- **Published**: 2026-03-25 07:52:19
- **ID**: 32654
- **URL**: https://whisperx.ai/en/intel/32654