## Critical RCE Vulnerability in React Server Components Exposes Next.js Servers to Unauthenticated Attacks
A critical remote code execution vulnerability has been identified in React Server Components, affecting applications built on frameworks including Next.js. The flaw enables unauthenticated RCE on servers through insecure deserialization in the React Flight protocol, creating a direct attack vector for remote adversaries.

The vulnerability was discovered in the project mountain-app, hosted on Vercel's platform. React Flight, the protocol underlying Server Components, fails to properly sanitize deserialized data, allowing attackers to inject malicious payloads that execute arbitrary code without requiring authentication. The exposure spans any deployment leveraging React Server Components with vulnerable configurations.

Security advisories have been issued across three tracking systems: GitHub Security Advisory GHSA-9qr9-h5gf-34mp, React Advisory CVE-2025-55182, and Next.js Advisory CVE-2025-66478. Vercel has automatically generated pull requests to patch affected projects, though officials caution that the automated fixes may be incomplete and urge manual review before merging. Developers using React Server Components in Next.js or comparable frameworks should assess exposure immediately and prioritize applying official patches referenced in the linked advisories.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: react-server-components, rce-vulnerability, nextjs, vercel, cve-2025-55182
- **Credibility**: unverified
- **Published**: 2026-05-15 05:48:45
- **ID**: 83335
- **URL**: https://whisperx.ai/en/intel/83335