This article is crucial for engineers managing React/Next.js applications, highlighting an RCE vulnerability and Cloudflare's WAF as a critical first line of defense. It emphasizes the importance of both network-level protection and prompt application-level updates.
Cloudflare has deployed a new protection to address a vulnerability in React Server Components (RSC). All Cloudflare customers are automatically protected, including those on free and paid plans, as long as their React application traffic is proxied through the Cloudflare Web Application Firewall (WAF).
Cloudflare Workers are inherently immune to this exploit. React-based applications and frameworks deployed on Workers are not affected by this vulnerability.
We strongly recommend that customers immediately update their systems to the most recent version of React, despite our WAF being designed to detect and prevent this exploit.
Cloudflare has been alerted by its security partners to a Remote Code Execution (RCE) vulnerability impacting Next.js, React Router, and other React frameworks (security advisory CVE-2025-55182, rated CVSS 10.0). Specifically, React version 19.0, 19.1, and 19.2, and Next.js from version 15 through 16 were found to insecurely deserialize malicious requests, leading to RCE.
In response, Cloudflare has deployed new rules across its network, with the default action set to Block. These new protections are included in both the Cloudflare Free Managed Ruleset (available to all Free customers) and the standard Cloudflare Managed Ruleset (available to all paying customers). More information about the different rulesets can be found in our documentation.
The rule ID is as follows:
Ruleset | Rule ID | Default action |
|
| Block |
|
| Block |
Customers on Professional, Business, or Enterprise plans should ensure that Managed Rules are enabled — follow these steps to turn it on. Customers on a Free plan have these rules enabled by default.
We recommend that customers update to the latest version of React 19.2.1 and the latest versions of Next.js (16.0.7, 15.5.7, 15.4.8).
The rules were deployed at 5:00 PM GMT on Tuesday, December 2, 2025. Since their release until the publication of this blog and the official CVE announcement, we have not observed any attempted exploit.
The Cloudflare security team has collaborated with partners to identify various attack patterns and ensure the new rules effectively prevent any bypasses. Over the coming hours and days, the team will maintain continuous monitoring for potential attack variations, updating our protections as necessary to secure all traffic proxied via Cloudflare.
Continue reading on the original blog to support the author
Read full articleRedesigning a UI served billions of times daily requires balancing security, accessibility, and performance. This case study shows how to handle massive-scale deployments while reducing user friction in critical security checkpoints, ensuring a better experience for a global audience.
This critical RCE in React Server Components allows unauthenticated code execution. Engineers must patch immediately and apply WAF rules to protect against active exploitation and prevent severe security breaches.
Moving from legacy VPNs to Zero Trust is high-risk. This methodology de-risks the process by treating migration as application modernization, allowing engineers to secure legacy systems with MFA and identity-based access without downtime or code changes.
Modern threats blend human intent with automated scale, making traditional bot detection insufficient. This suite provides privacy-preserving tools like Hashed User IDs and email risk scoring to stop account takeover and promotion abuse without compromising sensitive user data.
