This is genuinely embarrassing for the Next.js and React teams. They were warned for years that their approach to server-client communication had risks, derided and ignored everyone who didn't provide unconditional praise, and now this.
I think their time as Javascript thought leaders is past due.
Not really, I didn't keep receipts. This stuff was discussed heavily on X a couple years ago when they were first launched and a lot of people questioned the wisdom of implicit RPC and blurring the lines between client/server, and the increasing complexity of React. I'm sure there were some articles written as well.
I believe one of the React email services got pwned because they leaked sensitive info via RSC, and there was a whole fiasco around Next.js encrypting server secrets and sending them to the client.
Lo and behold just a couple years later, a lvl 10 RCE because of the complexity of their RPC approach coupled with the blurring of the lines between client/server...it's not like it's surprising to us. A repro of the vulnerability is on X & Github if you want to search for it, it's a classic deserialization bug that only exists because their format is so complex (and powerful).
Remember a lot of us use React as a UI library and to see it causing our servers to get pwned is what people were uneasy about when they announced RSC.
Unfortunately much of this discussion is on X which makes it hard to find, especially because I think Dan Abromov deleted his X account.
I think their time as Javascript thought leaders is past due.