What you'll learn

React and Next.js sit at the core of many modern web applications, and increasingly they don’t just render UI, they handle routing, data access and server-side logic. React Server Components (RSC) and the Next.js App Router blur the line between “frontend” and “backend”, putting framework code directly in front of sensitive services and secrets. In December 2025, CVE-2025-55182 was disclosed: a critical flaw in RSC request/response handling that lets an unauthenticated attacker send crafted payloads and achieve remote code execution on affected servers. The issue carries a CVSS 10.0 rating, impacts multiple React server packages and popular frameworks including Next.js, and dramatically raises the stakes for internet-facing deployments. This episode moves quickly from RSC/App Router fundamentals to practical defense. You’ll see how the bug arises in the architecture, learn how to identify vulnerable stacks in real environments, and walk through patching, short-term containment and monitoring strategies. By the end, you’ll be ready to brief stakeholders clearly and help keep high-value web services online when this – or the next – framework-level zero-day lands.