The vulnerability is a Remote Code Execution (RCE) in React Server Components, caused by insecure deserialization of data sent from the client to the server. An attacker can craft a malicious request to a server action endpoint.

The server-side code uses a function, decodeReplyFromBusboy, to parse this request. The core of the vulnerability lies in the ReactFlightReplyServer.js file, which contains the logic for deserializing the client's request and executing server-side functions.

The reviveModel function recursively reconstructs JavaScript objects from the parsed JSON payload. The original implementation was vulnerable to prototype pollution, allowing an attacker to inject a __proto__ key in the payload to modify Object.prototype.

This prototype pollution is then leveraged by loadServerReference, which is responsible for loading and executing the server function requested by the client. This function uses requireModule to load the function's code. The requireModule function was also vulnerable, as it accessed properties on a module object without checking if they were its own properties. An attacker could exploit the polluted prototype to make requireModule execute arbitrary code.

The patch addresses these issues by:

1. Adding hasOwnProperty checks in requireModule to prevent prototype pollution.
2. Refactoring the entire promise and object resolution logic in ReactFlightReplyServer.js, particularly in reviveModel and loadServerReference, to handle object creation and cycles securely.
3. Adding error handling in decodeReplyFromBusboy to prevent crashes from malformed payloads.