Cloudflare WAF Proactively Protects Against React Vulnerability

Cloudflare has deployed a new protection to address a Remote Code Execution (RCE) vulnerability in React Server Components (RSC), automatically protecting all customers, including those on free and paid plans, as long as their React application traffic is proxied through the Cloudflare Web Application Firewall (WAF). The vulnerability, identified as CVE-2025-55182 (CVSS 10.0), affects React versions 19.0, 19.1, and 19.2, as well as Next.js versions 15 through 16. Cloudflare Workers are inherently immune to this exploit.

Customers Affected and Recommended Course of Action

All customers on Professional, Business, or Enterprise plans should ensure that Managed Rules are enabled, while customers on a Free plan have these rules enabled by default. Cloudflare strongly recommends that customers immediately update their systems to the most recent version of React (19.2.1) and the latest versions of Next.js (16.0.7, 15.5.7, 15.4.8). The new rules were deployed at 5:00 PM GMT on Tuesday, December 2, 2025, and have not observed any attempted exploit since their release.