This article provides updates on recently discovered vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in React and Next.js server components.
Vulnerability Overview
Two critical vulnerabilities have been identified in React and Next.js applications that leverage React Server Components. Attackers can exploit these flaws by sending a single, specially crafted HTTP request, potentially resulting in remote code execution on the server.
No prior authentication or additional weaknesses are required, making these vulnerabilities straightforward to exploit in affected environments.
The following table provides key information about the vulnerabilities.
CVE | Common Name | Criticality and CVSS Score | Affected Product Version | Patched Versions | Barracuda WAF-as-a-Service Affected | Barracuda Networks Advisory Issued On | Barracuda Networks Advisory |
|---|---|---|---|---|---|---|---|
CVE-2025-66478 Rejected ( Duplicate of 55182 ) | React2Shell | Critical CVSS Score 10 | react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0 Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) | react-server: 19.0.1, 19.1.2, and 19.2.1
| NO | December 5,2025 - As per the official vendor advisory. December 4, 2025 - First advisory. |
|
React/Next.js CVE-2025-55182 Protection
The Barracuda Networks security team has successfully validated protection against React/Next.js CVE-2025-55182 using the original proof-of-concept exploit published by the researcher, available here: React2Shell CVE-2025-55182 Original POC. This vulnerability and its proof-of-concept have also been formally acknowledged by the React development team in their official advisory: React Security Advisory.
We continue to actively monitor developments related to this issue and will update this article with the latest findings and guidance as they become available. We recommend you to reach out to Barracuda Technical Support for further insight and next steps.
Attack Detection and Protection
Barracuda WAF-as-a-Service customers are protected by Barracuda’s cloud-based threat intelligence, which provides real-time signature updates and actively detects and blocks exploitation attempts.
The existing default security policies protect against these vulnerabilities. Ensure that the policies mentioned in the recommended actions table are enabled. For any assistance, contact Barracuda Technical Support.
These rules are designed to detect and block requests that attempt to exploit Remote Code Execution vulnerabilities.
You will continue to receive regular updates as new variants are identified.
Recommended Actions
As a good security practice, update your backend infrastructure according to vendor recommendations and apply all relevant patches.
Monitor WAF logs for any suspicious activity related to React or Next.js exploitation attempts. For any clarity, contact Barracuda Technical Support.
Actor | Application Mode | Automatic Update Status | Security Policies | Additional Configurations to Take Care of Future Variations of the CVE |
|---|---|---|---|---|
Customer verifiable actions | Ensure applications are in the “Block” mode | Ensure automatic updates are enabled to receive the latest attack definition packages, and verify that security policies for header and parameter protection are active. | OS Command Injection is enabled . Also header and parameter protection are active. | Action: Contact Barracuda Technical Support for support-assisted configuration changes. |
Support Assisted actions | Move applications to the “Block” mode. | Check if the Security Definitions are up-to-date. | Review if all relevant default security polices are in the appropriate state. | Configure the customer system with applicable security policy updates. |
Communication and Support
Expect regular updates on the campus article, as the POC and attack techniques evolve.
Contact Barracuda Technical Support for guidance on configuration, monitoring, or incident response related to these vulnerabilities.