F5 provides enhanced protections against React vulnerability (CVE-2025-55182)

Chris Malladi Principal Product Manager, F5 Distributed Cloud WAF

A new security vulnerability identified as CVE-2025-55182 has been discovered in React with a CVSS score of 10.0 that may expose applications using this popular JavaScript library to potential cyberattacks via remote code execution (RCE).

Developers and organizations using React in their applications should immediately evaluate their systems as exploitation of this vulnerability could lead to compromise of affected systems.

Affected versions

The CVE is known to affect the following versions of React:

• 19.0.0, 19.1.0, 19.1.1, and 19.2.0

Any system or application that relies on these versions of React is considered vulnerable and should be upgraded immediately. More information is available on the React team’s public notification page.

The CVE is known to affect the following versions of Next.js:

• Next.js 15.x, Next.js 16.x, Next.js 14.3.0-canary.77 and later canary releases

Note that vulnerable versions of Next.js are vulnerable because they rely on the versions of React mentioned above. The vulnerability in Next.js may also be referenced by CVE-2025-66478 which was rejected as a duplicate because the underlying vulnerability is due to CVE-2025-55182 in React. Any system or application that relies on these versions of Next.js is considered vulnerable and should be upgraded immediately. More information is available on the Next.js team’s public notification page.

Enhanced protections with F5

In addition to upgrading to secure versions of React and Next.js, if you're an F5 customer, enhanced Web Application Firewall (WAF) signatures have been released to detect and block exploitation attempts of CVE-2025-55182. These signatures provide an additional layer of defense against known attack vectors targeting React and Next.js applications.

F5 BIG-IP Advanced WAF / ASM, F5 WAF for NGINX, and F5 NGINX App Protect WAF signatures

If you are using the F5 BIG-IP Advanced WAF or F5 BIG-IP Application Security Manager (ASM) module or the F5 WAF for NGINX or the F5 NGINX App Protect WAF to protect your backend pool members, you can mitigate this vulnerability for your backend pool members by using both of the following attack signatures enabled in blocking mode:

• React Server Components RCE, ID 200204048 and ID 200204050

This attack signature is part of the newly released attack signature update ASM-AttackSignatures_20251204_143801.im; you must perform a signature file update to ASM-AttackSignatures_20251204_143801.im or later for this signature to be available on your system.

F5 Distributed Cloud WAF signature

Two new signatures, React Server Components RCE, ID 200204048 and 200204050, have been released to all Regional Edges (RE) on Distributed Cloud.To use this protection, ensure your Distributed Cloud WAF policies have High and Medium Accuracy signatures enabled in blocking mode.

Keeping your F5 protections up to date is critical

Attackers are actively looking to exploit this CVE, and F5 is monitoring the situation closely for any novel exploits not covered by known vectors. Keeping your F5 protections up to date is critical to stay ahead of attackers. New signatures and updates may be released if necessary to continue to protect against these evolving threats. For more information on signature updates, follow the guidance provided in F5 Knowledge Base Article K000158058 and the F5 Cloud Documentation on Attack Signatures.

About the Author

Chris Malladi Principal Product Manager, F5 Distributed Cloud WAF

More blogs by Chris Malladi