This article provides updates on recently discovered vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in React and Next.js server components.
The following table provides key information about the vulnerabilities.
Source | CVE Details | Affected Product Version | Patched Versions |
|---|---|---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2025-55182 | react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0 | 19.0.1, 19.1.2, and 19.2.1 |
Vercel Next.js | Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) | 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Product Impact Statement
The Barracuda Web Application Firewall is not affected by CVE-2025-55182 or CVE-2025-66478. These vulnerabilities impact applications built with React and Next.js using React Server Components (RSC).
Vulnerability Overview
Two critical vulnerabilities have been identified in React and Next.js applications that leverage React Server Components. Attackers can exploit these flaws by sending a single, specially crafted HTTP request, potentially resulting in remote code execution on the server.
No prior authentication or additional weaknesses are required, making these vulnerabilities straightforward to exploit in affected environments.
Current Status and Ongoing Evaluation
No official proof-of-concept (POC) exploit has been released for these CVEs at this time.
The majority of attack techniques identified in unofficial POCs are currently protected by strict OS Command Injection rules.
Barracuda will continue to evaluate the situation as new attack techniques are identified and will update security definitions and documentation accordingly.
Attack Detection and Protection
Barracuda WAF customers will receive regular updates to attack detection signatures. The latest rules are being rolled-out to all supported hardware, cloud and virtual appliances.
These rules are designed to detect and block requests attempting to exploit the React/Next.js vulnerabilities, including variations in attack patterns.
Ensure that your WAF is running the latest security definitions and the relevant protection policies (such as OS Command Injection) are enabled.
Recommended Actions
As a good security practice, update your backend infrastructure according to vendor recommendations and apply all relevant patches as soon as they are available.
Ensure automatic updates are enabled to receive the latest attack definition packages, and verify that security policies for header and parameter protection are active.
Monitor WAF logs for any suspicious activity related to React or Next.js exploitation attempts.
Communication and Support
Expect regular updates on the campus article, as the POC and attack techniques evolve.
Contact Barracuda Technical Support for guidance on configuration, monitoring, or incident response related to these vulnerabilities.
Summary
Barracuda Web Application Firewall is not affected by these vulnerabilities.
For applications protected by Web Application Firewall, we are actively deploying security updates and will continue to release new attack definitions and supporting documentation as the situation evolves.
As a good security practice ensure your backend systems are updated according to vendor recommendations, and monitor our communications for ongoing updates.