Hey everyone,
The recent vulnerability (CVE-2025-55182) is bad, sure. but honestly? it feels like just one symptom of a much bigger issue we've been ignoring.
Whenever we introduce a "revolutionary" solution in tech (or any fields actually), we usually create a dozen new problems in the process. with react server components (RSC), i'm starting to think the trade-off simply isn't worth it
We're blurring the line between client and server so much that the architecture itself feels messy and unintuitive
The mental model tax
Before this era, the mental model was incredibly clear:
-
server: trusted. has secrets. talks to db. returns dead json.
-
client: untrusted. runs in browser. renders ui.
The boundary was a network request. it was distinct. it was hard to mess up because you knew you were crossing a line.
Now? we have to constantly categorize code in our heads:
-
is this a server component?
-
is this a client component?
-
is this a "shared" component?
-
wait, did i just import a server-only utility into a client boundary?
Code example: the "blurry" line
In the old days, you'd never accidentally expose a db call to the client because you had to write an api endpoint. Now, the architecture invites mistakes because it looks too much like regular javascript.
// UserProfile.tsx (Server Component)
import db from '@/lib/db';
export default async function Page({ id }) {
// this runs on server, cool
const user = await db.findUser(id);
// BUT... if i pass 'user' to a Client Component,
// i am implicitly serializing it across the wire.
// did i strip the password hash? the internal flags?
// or did i just leak it because i forgot to create a DTO?
return <ClientView user={user} />;
}
The recent CVE happened because the mechanism bridging this gap (the flight protocol) was flawed. but even without the bug, the architecture forces us to constantly manage this massive mental overhead.
Is it actually worth it?
We accepted all this complexity to save... what? a few milliseconds on a waterfall? to avoid writing useEffect?
We replaced "fetch data on mount" (annoying but safe/understood) with an architecture that requires us to essentially run a remote code execution engine inside our production servers.
Think about it: CVE-2025-55182 wasn't just a data leak. it happened because we built a protocol (flight) that treats client input not just as data to be rendered, but as instructions to be executed.
We moved from:
-
old world: client sends dead json → server saves it. (risk: bad data)
-
rsc world: client sends serialized instruction stream → server deserializes and runs it
It feels like we took a clear, robust separation of concerns and turned it into a "full stack" soup where the boundary isn't just blurry -it's dangerous
Maybe separating the frontend and backend wasn't a "problem" to be solved
Maybe it was a safety feature
