This is what coordinated disclosure looks like.

Given that most Next.js and RSC apps run on Vercel, I’m wondering if they’re doing the same thing. There’s no information about this in their latest blog post [0].

Update: They do similar thing. Mentioned here [1]

[0] https://nextjs.org/blog/CVE-2025-66478

[1] https://vercel.com/changelog/cve-2025-55182

Would be interesting to hear from Cloudflare the extent of exploitation before today. I'm assuming they can see if/when this started being exploited.