## Critical RCE Flaw in React Server Components Forces Emergency Next.js Security Patch A critical remote code execution vulnerability has been confirmed in React Server Components, allowing unauthenticated attackers to execute arbitrary code on servers through insecure deserialization in the React Flight protocol. The flaw, tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, represents a severe security failure in one of the most widely adopted server-side rendering patterns in modern web development. Vercel has begun issuing automated pull requests to affected repositories, including the identified "nova-blogs" project, warning that the vulnerability enables exploitation without authentication or user interaction. The vulnerability stems from the React Flight protocol's deserialization mechanism, which processes server-rendered payloads on the client. GitHub Security Advisory GHSA-9qr9-h5gf-34mp and official advisories from both the React team and Next.js maintainers confirm the critical severity rating. Vercel's automated patching system is actively scanning deployed projects and generating upgrade PRs, though the company notes these automated fixes may not be comprehensive and could contain errors. Developers are instructed to review official guidance before merging changes. The disclosure creates immediate pressure for engineering teams running Next.js applications with React Server Components enabled. Organizations should treat this as a high-priority security incident, auditing all production deployments and verifying that patched dependency versions are applied. The vulnerability raises broader questions about deserialization security in the React ecosystem and may prompt architectural reviews of server-client data transfer patterns. With React Server Components increasingly adopted across the JavaScript landscape, the scope of affected applications could be substantial. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: React Server Components, Next.js, RCE vulnerability, CVE-2025-55182, CVE-2025-66478 - **Credibility**: unverified - **Published**: 2026-05-10 15:01:41 - **ID**: 81563 - **URL**: https://whisperx.ai/en/intel/81563