This article provides updates on recently discovered vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in React and Next.js server components.
The following table provides key information about the vulnerabilities.
Source | CVE Details | Affected Product Version | Patched Versions |
|---|---|---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2025-55182 | react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0 | 19.0.1, 19.1.2, and 19.2.1 |
Vercel Next.js | Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) | 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Update December 5, 2025 - React/Next.js CVE-2025-55182 Protection
The Barracuda Networks security team has successfully validated protection against React/Next.js CVE-2025-55182 using the original proof-of-concept exploit published by the researcher, available here: React2Shell CVE-2025-55182 Original POC. This vulnerability and its proof-of-concept have also been formally acknowledged by the React development team in their official advisory: React Security Advisory.
We continue to actively monitor developments related to this issue and will update this article with the latest findings and guidance as they become available. We recommend you to reach out to Barracuda Technical Support for further insight and next steps.
Product Impact Statement
The Barracuda Load Balancer ADC is not affected by CVE-2025-55182 or CVE-2025-66478. These vulnerabilities impact applications built with React and Next.js using React Server Components (RSC).
Vulnerability Overview
Two critical vulnerabilities have been identified in React and Next.js applications that leverage React Server Components. Attackers can exploit these flaws by sending a single, specially crafted HTTP request, potentially resulting in remote code execution on the server.
No prior authentication or additional weaknesses are required, making these vulnerabilities straightforward to exploit in affected environments.
Current Status and Ongoing Evaluation
No official proof-of-concept (POC) exploit has been released for these CVEs at this time.
The majority of attack techniques identified in unofficial POCs are currently protected by strict OS Command Injection rules.
Barracuda will continue to evaluate the situation as new attack techniques are identified and will update security definitions and documentation accordingly.
Attack Detection and Protection
ADC models 540 and above support the Application Firewall policy, allowing attack definitions to be delivered via the attackdef mechanism.
ADC models 340 and 440 do not support the Application Security feature. For these models, protection must be managed at the application server level through vendor updates and patches.
Recommended Actions
For ADC 540 and above, enable the Application Firewall policy to ensure you receive the latest attack definitions.
For ADC 340 and 440, work with your application team to update your servers with the necessary libraries or apply relevant patches to maintain security.
Communication and Support
Expect regular updates on the campus article, as the POC and attack techniques evolve.
Contact Barracuda Technical Support for guidance on configuration, monitoring, or incident response related to these vulnerabilities.
Summary
Barracuda Load Balancer ADC is not affected by these vulnerabilities.
As a good security practice ensure your backend systems are updated according to vendor recommendations, and monitor our communications for ongoing updates.