## Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Deployments to Unauthenticated Server Attacks
A critical remote code execution vulnerability has been identified in React Server Components, affecting applications built with Next.js and deployed through Vercel's infrastructure. The flaw, residing in insecure deserialization logic within the React Flight protocol, allows unauthenticated attackers to execute arbitrary code on affected servers without any user interaction or credentials.

The vulnerability was discovered in the Vercel-hosted project keitumetse-modipa-n6ds and has been assigned multiple tracking identifiers across major security databases. GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478 all reference the same underlying flaw. Vercel has automatically generated a patch pull request to address the issue, though the company cautions that the automated fix may not be comprehensive and could contain errors. Users are advised to review Vercel's additional guidance before applying the changes.

The exposure raises significant concerns for organizations running production workloads on Next.js deployments. React Server Components have become a foundational technology in modern full-stack JavaScript applications, meaning the vulnerability potentially affects a wide range of web properties. Security teams should prioritize auditing their React Flight implementations, verify their dependency versions against the published advisories, and ensure proper input sanitization at the protocol boundary. Given that the flaw enables unauthenticated exploitation, the risk of opportunistic scanning and targeted attacks against unpatched instances is elevated.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, RCE, React, Next.js, Vercel
- **Credibility**: unverified
- **Published**: 2026-04-27 08:54:09
- **ID**: 77363
- **URL**: https://whisperx.ai/en/intel/77363