This article provides updates on recently discovered vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in React and Next.js server components.
Vulnerability Overview
Two critical vulnerabilities have been identified in React and Next.js applications that leverage React Server Components. Attackers can exploit these flaws by sending a single, specially crafted HTTP request, potentially resulting in remote code execution on the server.
No prior authentication or additional weaknesses are required, making these vulnerabilities straightforward to exploit in affected environments.
The following table provides key information about the vulnerabilities.
CVE | Common Name | Criticality and CVSS Score | Affected Product Version | Patched Versions | Barracuda Load Balancer ADC Affected | Barracuda Networks Advisory Issued On | Barracuda Networks Advisory |
|---|---|---|---|---|---|---|---|
CVE-2025-66478 Rejected ( Duplicate of 55182 ) | React2Shell | Critical CVSS Score 10 | react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0 Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) | react-server: 19.0.1, 19.1.2, and 19.2.1 Next.js: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 | NO | December 5,2025 - As per the official vendor advisory. December 4, 2025 - First advisory. |
|
React/Next.js CVE-2025-55182 Protection
The Barracuda Networks security team has successfully validated protection against React/Next.js CVE-2025-55182 using the original proof-of-concept exploit published by the researcher, available here: React2Shell CVE-2025-55182 Original POC. This vulnerability and its proof-of-concept have also been formally acknowledged by the React development team in their official advisory: React Security Advisory.
We continue to actively monitor developments related to this issue and will update this article with the latest findings and guidance as they become available. We recommend you to reach out to Barracuda Technical Support for further insight and next steps.
Application Security in ADC Models
ADC models 540 and above support the Application Security feature.
ADC models 340 and 440 do not support the Application Security feature. For these models, protection must be managed at the application server level through vendor updates and patches.
Recommended Actions
For ADC 540 and above, enable the Application Security at the service level.
For ADC 340 and 440, work with your application team to update your servers with the necessary libraries or apply relevant patches to maintain security.
Actor | Security Mode | Automatic Update Status | Security Policies | Additional Configurations to Take Care of Future Variations of the CVE |
|---|---|---|---|---|
Customer verifiable actions | Ensure services are in the “Active” mode | Ensure automatic updates are enabled to receive the latest attack definition packages. | OS Command Injection is enabled . | Action: Contact Barracuda Technical Support for support-assisted configuration changes. |
Support Assisted actions | Move services to the “Active” mode. | Check if the Security Definitions are up-to-date. | Review if all relevant default security polices are in the appropriate state. | Configure the customer system with applicable security policy updates. |
Communication and Support
Expect regular updates on the campus article, as the POC and attack techniques evolve.
Contact Barracuda Technical Support for guidance on configuration, monitoring, or incident response related to these vulnerabilities.