## Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments via Insecure Deserialization
A critical remote code execution vulnerability has been identified in React Server Components, with the weakness traced to insecure deserialization within the React Flight protocol. The flaw enables unauthenticated RCE on affected servers, raising serious concerns for deployments using frameworks that rely on this protocol. The vulnerability was initially discovered in the "ruju" project hosted on Vercel, suggesting the issue may affect a broader range of applications built on React Server Components infrastructure.

The exposure is tracked under multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. The discovery has prompted Vercel to automatically generate pull requests aimed at patching affected projects, though officials caution that the automated fixes may not be comprehensive and could contain errors. Developers are being urged to review the guidance provided before merging any changes into production environments.

The incident highlights persistent risks in server-side rendering architectures, where deserialization flaws can create direct pathways to server compromise. Applications using Next.js and other React Server Component frameworks should be prioritized for security review. Security teams should assess whether their implementations expose React Flight protocol endpoints to unauthenticated users, and verify that patching efforts have been successfully applied. The widespread adoption of Next.js across enterprise and startup environments means this vulnerability could have broad implications if left unaddressed.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE, CVE-2025-55182, CVE-2025-66478, Next.js, React Flight
- **Credibility**: unverified
- **Published**: 2026-04-24 03:54:11
- **ID**: 76662
- **URL**: https://whisperx.ai/en/intel/76662