## Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments to Unauthenticated Server Attacks
A critical remote code execution vulnerability has been identified in React Server Components, posing a significant threat to web applications built on frameworks including Next.js. The flaw, tracked under multiple security advisories including CVE-2025-55182 and CVE-2025-66478, enables unauthenticated attackers to execute arbitrary code on affected servers. The vulnerability specifically targets insecure deserialization within the React Flight protocol, allowing remote attackers to compromise server-side environments without requiring any credentials or user interaction.

The issue was discovered in the Vercel-hosted project "crach-ad" and has been confirmed to affect the broader React Server Components ecosystem. GitHub Security Advisory GHSA-9qr9-h5gf-34mp and the official Next.js advisory both document the attack vector. Vercel has responded by automatically generating pull requests to patch vulnerable dependencies, though the company cautions that these automated fixes may not be comprehensive and require manual review before merging.

Security teams are urged to audit their deployments immediately, particularly those running Next.js applications with exposed server-side rendering endpoints. The availability of detailed public advisories suggests the technical specifics of the exploit are now accessible to threat actors, increasing the urgency for patching. Organizations should reference the official guidance from Vercel and conduct thorough validation of any automated security patches applied to production environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE, CVE-2025-55182, CVE-2025-66478, Next.js, React Flight
- **Credibility**: unverified
- **Published**: 2026-04-22 18:27:36
- **ID**: 76052
- **URL**: https://whisperx.ai/en/intel/76052