Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE-2025-55182)

On December 3, 2025, a critical vulnerability was disclosed in React 19 and Next.js related to the React Server Components (RSC) "Flight" protocol, which enables remote code execution (RCE) through unsafe deserialization of attacker-controlled data. This flaw is present in the default configurations of various frameworks and bundlers utilizing the RSC implementation, posing a risk of full server compromise. Despite no confirmed exploitation, the vulnerability's high reliability makes immediate patching essential, with updates available for React and Next.js. The issue affects numerous cloud environments, and the vulnerability underscores the need for robust validation in serialization mechanisms to prevent such security breaches. Organizations are urged to upgrade affected systems, verify third-party frameworks, and employ defense-in-depth strategies to mitigate potential risks while monitoring for further updates as investigations continue.