## Critical RCE Vulnerability in React Server Components Exposes Next.js to Unauthenticated Server Takeover A critical remote code execution vulnerability in React Server Components has been identified, posing a significant threat to applications built on affected frameworks including Next.js. The flaw, discovered in the project ecom-hype-automation hosted on Vercel, enables unauthenticated attackers to execute arbitrary code on the server through insecure deserialization within the React Flight protocol. Vercel has automatically generated a pull request to assist with patching, though the company cautions that the automated fix may not be comprehensive and requires manual review before merging. The vulnerability is tracked across multiple security advisories: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React advisory CVE-2025-55182, and Next.js advisory CVE-2025-66478. The attack vector leverages the React Flight protocol, which handles serialization between server and client components. By exploiting insecure deserialization logic, an attacker without credentials could inject malicious payloads that execute at the server level, potentially compromising the entire application environment, sensitive data, and connected systems. Organizations utilizing React Server Components in their deployments face immediate exposure. The vulnerability affects the core protocol mechanism rather than application-specific code, meaning standard secure-coding practices alone cannot mitigate the risk. Security teams should prioritize reviewing the official advisories, apply official patches as they become available, and avoid merging unverified automated changes without thorough evaluation. Given the protocol-level nature of this flaw, the potential attack surface extends beyond individual applications to any infrastructure running vulnerable versions of React Server Components. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: RCE vulnerability, React Server Components, Next.js, insecure deserialization, CVE-2025-55182 - **Credibility**: unverified - **Published**: 2026-05-04 23:54:07 - **ID**: 79356 - **URL**: https://whisperx.ai/en/intel/79356