Architecture

Before getting into the incident itself, here’s a high-level overview of the stack used in our system:

• Frontend: Next.js (App Router, React Server Components) deployed on Vercel
• Content Backend: Payload CMS running on a Docker container on Linode
• Database: MongoDB Atlas cluster
• Reverse Proxy: Caddy
• Custom Domain: Routed via Vercel

This split architecture allows independent deployment pipelines and scaling for frontend and backend, but introduces potential points of failure when one piece becomes unavailable.

What Happened: Timeline

Dec 6 2025 – Security Bulletin from Vercel

Vercel sent out a security advisory regarding critical RCE (Remote Code Execution) vulnerabilities in certain Next.js versions.
This included:

• CVE-2025-55184
• CVE-2025-55183

In response, Vercel began blocking deployments of vulnerable releases and recommended immediate upgrades. This notification was acknowledged, but due to scheduling and workload constraints, the application was not immediately updated.