## Critical RCE Vulnerability in React Server Components Enables Unauthenticated Remote Code Execution via React Flight Deserialization Flaw A critical remote code execution vulnerability has been identified in React Server Components, posing a significant threat to applications built on Next.js and related frameworks. Tracked under CVE-2025-55182 and CVE-2025-66478, the flaw stems from insecure deserialization within the React Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. The GitHub Security Advisory GHSA-9qr9-h5gf-34mp confirms the severity, with the vulnerability discovered in the project petrillo-ui hosted on Vercel's platform. The exposure centers on how React Server Components handle serialized data during the Flight protocol exchange between server and client. By exploiting this deserialization weakness, a malicious actor can craft payloads that bypass authentication mechanisms entirely, gaining remote code execution without requiring any credentials. Vercel has responded by generating an automatic pull request to patch the vulnerable dependencies in the affected project, though officials caution that the automated fix may not be comprehensive and manual review is advised before merging. This vulnerability raises urgent scrutiny for development teams using React Server Components in production environments. The React team and Next.js maintainers have both issued official advisories outlining the risk, signaling that the flaw may extend beyond the initially identified project to broader portions of the ecosystem. Organizations leveraging these technologies should immediately audit their deployments, apply available patches, and monitor for indicators of exploitation. The incident underscores persistent risks in server-side rendering architectures where client-supplied data intersects with server-side deserialization processes. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2025-55182, CVE-2025-66478, RCE vulnerability, React Flight protocol, Next.js - **Credibility**: unverified - **Published**: 2026-05-05 21:31:43 - **ID**: 79557 - **URL**: https://whisperx.ai/en/intel/79557