A serious Remote Code Execution (RCE) vulnerability, designated as CVE‑2025‑55182, recently impacted the React ecosystem, particularly affecting the React Server Components (RSC) and React Server Functions. This flaw arises from a deserialization bug, allowing attackers to execute arbitrary code on the server without needing user credentials or a valid session. Affected versions include React 19.0.0 through 19.2.0, with the vulnerability fixed in versions 19.0.1, 19.1.2, and 19.2.1. Frameworks like Next.js also released coordinated fixes, emphasizing the need for users to upgrade both React and their frameworks for complete protection. The vulnerability exploits how React handles deserialization paths, specifically through prototype pollution. When user-controlled input influences these paths, an attacker can access the `Function` constructor, enabling arbitrary code execution. This occurs when React attempts to resolve properties during deserialization, inadvertently executing malicious code instead of harmless data. The exploit leverages multipart/form-data requests that mimic legitimate Server Function calls, making it particularly insidious. To mitigate this issue, developers must upgrade to patched versions of React and their respective frameworks. The core fix involves preventing prototype chain traversal by ensuring that property checks are made safely, thus blocking access to dangerous properties. If immediate upgrades aren't feasible, disabling Server Functions is recommended as a temporary measure. This incident highlights the critical intersection of serialization and security, emphasizing the need for vigilance as React evolves towards server-first architectures.