It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda WAF-as-a-Service
Overview Documentation Training Certification Materials

Barracuda Campus is getting an upgrade!

We are excited to announce that Barracuda Campus will migrate to a new platform around mid-January 2026. Please see the announcement on the Campus Dashboard to find out more.

CVE-2025-55182 - React & Next.js Remote Code Execution Vulnerabilities

  • Last updated on

This article provides updates on recently discovered vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in React and Next.js server components.

The following table provides key information about the vulnerabilities.

Source

CVE Details

Affected Product Version

Patched Versions

NIST

https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://nvd.nist.gov/vuln/detail/CVE-2025-66478 : Rejected ( Duplicate of 55182 )

react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0

19.0.1, 19.1.2, and 19.2.1

Vercel

Next.js

https://vercel.com/changelog/cve-2025-55182

https://nextjs.org/blog/CVE-2025-66478

Next.js: 14.3.0-canary, 15.x, and 16.x (App Router)

14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Product Impact Statement

The Barracuda WAF-as-a-Service is not affected by CVE-2025-55182 or CVE-2025-66478. These vulnerabilities impact applications built with React and Next.js using React Server Components (RSC).

Vulnerability Overview

Two critical vulnerabilities have been identified in React and Next.js applications that leverage React Server Components. Attackers can exploit these flaws by sending a single, specially crafted HTTP request, potentially resulting in remote code execution on the server.

No prior authentication or additional weaknesses are required, making these vulnerabilities straightforward to exploit in affected environments.

Current Status and Ongoing Evaluation

  • No official proof-of-concept (POC) exploit has been released for these CVEs at this time.

  • The majority of attack techniques identified in unofficial POCs are currently protected by strict OS Command Injection rules.

  • Barracuda will continue to evaluate the situation as new attack techniques are identified and will update security definitions and documentation accordingly.

Attack Detection and Protection

  • Barracuda WAF-as-a-Service customers are protected by Barracuda’s cloud-based threat intelligence, which provides real-time signature updates and actively detects and blocks exploitation attempts.

  • Protections are applied automatically, and security update will be pushed through the appropriate mechanism for all customers on versions 12.1 and 12.2; no changes to the WAF-as-a-Service are required.

Recommended Actions

  • Confirm that your subscription is active and automatic updates are enabled.

  • Review your application inventory to identify any use of React or Next.js with React Server Components.

  • As a good security practice, update your backend infrastructure and apply vendor patches as soon as they are released.

  • Utilize Barracuda’s reporting and alerting features to stay informed of any detected threats.

These updates are restrictive in scope; additional updates will be issued as the POC evolves.

Communication and Support

  • Expect regular updates on the campus article, as the POC and attack techniques evolve.

  • Contact Barracuda Technical Support for guidance on configuration, monitoring, or incident response related to these vulnerabilities.

Summary

  • Barracuda WAF-as-a-Service is not affected by these vulnerabilities.

  • For applications protected by WAF-as-a-Service, we are actively deploying security updates and will continue to release new attack definitions and supporting documentation as the situation evolves.

  • As a good security practice ensure your backend systems are updated according to vendor recommendations, and monitor our communications for ongoing updates.