## Critical RCE Vulnerability in React Server Components Exposes Next.js and Vercel Deployments to Unauthenticated Server Attacks A critical remote code execution vulnerability has been identified in React Server Components, with direct implications for applications deployed across Next.js and Vercel infrastructure. The flaw resides in insecure deserialization handling within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. The severity of the issue has prompted coordinated disclosure across multiple platforms, including a dedicated GitHub Security Advisory and official advisories from both React and Next.js. The vulnerability is tracked under three distinct identifiers: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has responded by generating automated pull requests targeting projects under its platform management, though officials caution that these patches may not be comprehensive and require manual review before merging. Developers using React Server Components are urged to consult Vercel's published guidance and apply security updates immediately. The exposure raises significant risk for organizations relying on server-side rendering architectures built with affected frameworks. The unauthenticated attack vector means no credentials or user interaction are required to exploit the flaw, substantially lowering the barrier for exploitation. Security teams should prioritize inventorying internal applications that depend on React Server Components, verify their deployment environments, and monitor for the availability of official patches from React and Next.js maintainers. Failure to address this vulnerability promptly could expose sensitive server-side data and provide attackers with persistent access to hosting infrastructure. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: RCE, CVE-2025-55182, CVE-2025-66478, React Flight protocol, insecure deserialization - **Credibility**: unverified - **Published**: 2026-05-02 17:54:10 - **ID**: 79032 - **URL**: https://whisperx.ai/en/intel/79032