## Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments via Insecure Deserialization
A critical remote code execution vulnerability in React Server Components has been identified, affecting applications built with frameworks including Next.js. The flaw, tracked under GitHub Security Advisory GHSA-9qr9-h5gf-34mp and linked to CVE-2025-55182, enables unauthenticated remote code execution on affected servers through insecure deserialization within the React Flight protocol.

The vulnerability was discovered in the Vercel-hosted project huddle-circo-beta-69uo. React Flight, which facilitates data transmission between server and client components, contains the deserialization weakness that allows attackers to execute arbitrary code without authentication. The issue has prompted coordinated advisories from React (CVE-2025-55182) and Next.js (CVE-2025-66478). Vercel has automatically generated pull requests targeting the affected project to assist with patching efforts, though the company cautions that automated fixes may not be comprehensive and should be reviewed before merging.

The disclosure places immediate pressure on developers using Next.js and other React Server Component frameworks to audit their deployments. Security researchers warn that the vulnerability's location within a core communication protocol means any application leveraging server components could be exposed. Organizations are advised to review the linked advisories, apply available patches, and verify their React Flight implementations for signs of exploitation attempts.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE, CVE-2025-55182, Next.js, React, Vercel
- **Credibility**: unverified
- **Published**: 2026-04-28 06:54:06
- **ID**: 77695
- **URL**: https://whisperx.ai/en/intel/77695