## Critical RCE Vulnerability in React Server Components Exposes Next.js Deployments
A critical remote code execution vulnerability has been identified in React Server Components, posing significant risk to applications built on Next.js and related frameworks. The flaw enables unauthenticated attackers to execute arbitrary code on affected servers through insecure deserialization within the React Flight protocol. The exposure was detected in projects hosted on Vercel's platform, including the application identified as "profile_psychologique," suggesting a potentially broader attack surface across the ecosystem.

The vulnerability is tracked under multiple security advisories, including GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. Vercel has automatically generated a pull request to patch the flaw in affected projects, though officials caution that the automated fix may not be comprehensive and could contain errors. Developers are urged to carefully review Vercel's additional guidance before merging any patches into production environments.

Security researchers warn that successful exploitation could allow threat actors to compromise entire server-side deployments without requiring valid credentials. Given the widespread adoption of Next.js and the severity of RCE-class vulnerabilities, the flaw raises serious concerns for organizations relying on React Server Components in production. The incident highlights ongoing challenges in securing deserialization mechanisms within modern web frameworks and underscores the need for proactive dependency auditing.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: RCE, React Server Components, Next.js, CVE-2025-55182, CVE-2025-66478
- **Credibility**: unverified
- **Published**: 2026-05-04 15:54:10
- **ID**: 79298
- **URL**: https://whisperx.ai/en/intel/79298