Workers, WAF - WAF and framework adapter mitigations for React and Next.js vulnerabilities
1mo ago
Source
CloudflareWorkers, WAF - WAF and framework adapter mitigations for React and Next.js vulnerabilitiescloudflare.comMultiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of service, middleware and proxy bypass, server-side request forgery, cross-site scripting, and cache poisoning issues across a range of severity levels. We strongly recommend updating your application and its dependencies immediately. Patched versions are available for React ( react-server-dom-webpack , react-server-dom-parcel , and react-server-dom-turbopack 19.0.6 , 19.1.7 , and 19.2.6 ) and Next.js ( 15.5.16 and 16.2.5 ). WAF protections Cloudflare WAF rules deployed in response to prior React Server Component CVEs ( CVE-2025-55184 and CVE-2026-23864 ) already provide coverage for the newly disclosed denial-of-service vulnerabilities. These rules are enabled by default with a Block action for all customers using the Cloudflare Managed Ruleset, including Free plan customers using the Free Managed Ruleset. Ruleset Rule description Rule ID Default action Cloudflare Managed Ruleset React - DoS - CVE-2025-55184 2694f1610c0b471393b21aef102ec699 Block Cloudflare Managed Ruleset React - DoS - CVE-2026-23864 aaede80b4d414dc89c443cea61680354 Block The existing rules detect the underlying attack patterns generically. As a result, they apply to the new CVE-2026-23870 denial-of-service vulnerability in Server Components and the corresponding Next.js advisory GHSA-8h8q-6873-q5fj . Cloudflare is investigating whether WAF rules can be safely and effectively deployed for three of the high-severity advisories: CVE-2026-23870 / GHSA-8h8q-6873-q5fj , GHSA-267c-6grr-h53f , and GHSA-mg66-mrh9-m8jx . If it is possible to create a managed WAF rule that mitigates these CVEs and does not potentially break application behavior, Cloudflare will add additional managed WAF rules. These rules will be announced through the WAF changelog . Because these vulnerabilities were shared with Cloudflare with minimal advance notice, we are still investigating what WAF mitigations are possible. Several of the disclosed vulnerabilities are not possible to block in WAF. We strongly recommend updating your applications so they are not purely reliant on WAF mitigations. Customers on Pro, Business, or Enterprise plans should ensure that Managed Rules are enabled . Next.js adapters Vinext: Vinext is a Vite plugin that reimplements the Next.js API surface. Vinext's latest release is not vulnerable to any of the disclosed CVEs. Vinext's architecture differs from stock Next.js in ways that sidestep the affected code paths. For example, it does not implement the PPR resume protocol, does not expose Pages Router data-route endpoints, and strips internal headers such as x-nextjs-data at request boundaries. As an extra layer of defense, we added a React 19.2.6 or later requirement when running vinext init ( PR #1118 , PR #1112 ) to prevent accidentally running a vulnerable version of React with Vinext. OpenNext on Cloudflare: OpenNext is an adapter that lets you deploy Next.js apps to the Cloudflare Workers platform. OpenNext itself is not directly vulnerable to the React denial-of-service CVE, but users must update the Next.js version in their application. The OpenNext team has updated the adapter to further harden against these vectors and released a new version of the Cloudflare adapter. Test fixtures and examples have been updated to use patched versions ( PR #1255 ). Summary of disclosed vulnerabilities Advisory Severity Issue WAF status CVE-2026-23870 / GHSA-8h8q-6873-q5fj High Denial of service in Server Components WAF rules in place: 2694f1610c0b471393b21aef102ec699 , aaede80b4d414dc89c443cea61680354 Cloudflare is investigating additional managed WAF coverage GHSA-267c-6grr-h53f High Middleware bypass via segment-prefetch routes Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule GHSA-mg66-mrh9-m8jx High Denial of service via connection exhaustion in Cache Components Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule GHSA-492v-c6pp-mqqv High Middleware bypass via dynamic route parameter injection Not possible to safely enable a managed WAF rule without potentially breaking application behavior GHSA-c4j6-fc7j-m34r High SSRF via WebSocket upgrades Not possible to safely enable a managed WAF rule without potentially breaking application behavior GHSA-36qx-fr4f-26g5 High Middleware bypass in Pages Router i18n Custom WAF rule possible; global managed rule could potentially break application behavior GHSA-ffhc-5mcf-pf4q Moderate XSS via CSP nonces Custom WAF rule possible; global managed rule could potentially break application behavior GHSA-gx5p-jg67-6x7h Moderate XSS in beforeInteractive scripts Not possible to safely enable a managed WAF rule without potentially breaking application behavior GHSA-h64f-5h5j-jqjh Moderate Denial of service in Image Optimization API Custom WAF rule possible; global managed rule could potentially break application behavior GHSA-wfc6-r584-vfw7 Moderate Cache poisoning in RSC responses Custom WAF rule possible; global managed rule could potentially break application behavior GHSA-vfv6-92ff-j949 Low Cache poisoning via RSC cache-busting collisions Not possible to safely enable a managed WAF rule without potentially breaking application behavior GHSA-3g8h-86w9-wvmq Low Middleware redirect cache poisoning Custom WAF rule possible; global managed rule could potentially break application behavior
You might also wanna read
Next.js Security Update: Two New React Server Component Vulnerabilities Identified
Two new security vulnerabilities (CVE-2025-55183 and CVE-2025-55184) have been discovered in React Server Components (RSC) protocol, affecti
Critical Security Vulnerability CVE-2025-66478 in React Server Components Protocol
A critical security vulnerability (CVE-2025-66478) has been discovered in the React Server Components (RSC) protocol with a CVSS score of 10
React Server Components Security Vulnerabilities: Denial of Service and Source Code Exposure Risks
The React team has disclosed critical security vulnerabilities in React Server Components affecting versions 19.0.0 through 19.2.3, includin
Critical React Vulnerability (CVE-2025-55182) Enables Remote Code Execution in React 19 and Next.js
A critical security vulnerability (CVE-2025-55182) has been discovered in React Server Components' 'Flight' protocol, affecting React 19 and

Comments
Sign in to join the conversation.
No comments yet. Be the first.