## Critical RCE Vulnerability Patched in React Server Components; Next.js Deployments Under Scrutiny
A critical remote code execution vulnerability has been identified in React Server Components, exposing servers running affected deployments to unauthenticated attacks. The flaw resides in insecure deserialization within the React Flight protocol, which is used by multiple frameworks including Next.js to handle server-to-client component streaming. The vulnerability was discovered in the cinematic-ui project hosted on Vercel, prompting an automated patch attempt from the platform.

Security advisories have been issued across three tracking systems: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. The Vercel-generated pull request warns that the automated patch may not be comprehensive and could contain errors, urging maintainers to review additional guidance before merging. The React team publicly disclosed the critical vulnerability on December 3, 2025, marking it as requiring immediate attention from development teams.

Organizations using React Server Components in production should treat this as a high-priority patching scenario given the unauthenticated nature of the exploit and the potential for full server compromise. The React Flight protocol is a core component of modern React server architecture, meaning any custom implementations or third-party libraries relying on this mechanism may also carry exposure. Maintainers are advised to cross-reference their deployments against the listed advisories and apply verified patches rather than relying solely on the automated PR.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE, CVE, React, Next.js, deserialization
- **Credibility**: unverified
- **Published**: 2026-04-29 15:54:14
- **ID**: 78280
- **URL**: https://whisperx.ai/en/intel/78280