WAF and framework adapter mitigations for React and Next.js vulnerabilities
a day ago
- #WAF Mitigations
- #Web Application Security
- #React Vulnerabilities
- Security vulnerabilities in React Server Components and Next.js include denial of service, middleware and proxy bypass, server-side request forgery, cross-site scripting, and cache poisoning.
- Patched versions are available for React (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack at 19.0.6, 19.1.7, and 19.2.6) and Next.js (15.5.16 and 16.2.5). Immediate updates are strongly recommended.
- Cloudflare WAF rules for prior CVEs (CVE-2025-55184 and CVE-2026-23864) already block the new denial-of-service vulnerability (CVE-2026-23870) and are enabled by default for all customers using Managed Rulesets.
- Cloudflare is investigating WAF rules for high-severity advisories like GHSA-8h8q-6873-q5fj, GHSA-267c-6grr-h53f, and GHSA-mg66-mrh9-m8jx, but some vulnerabilities cannot be safely mitigated via WAF and require application updates.
- Vinext, a Vite plugin, is not vulnerable to the disclosed CVEs due to architectural differences, such as not implementing PPR resume protocol, and requires React 19.2.6 or later for added security.
- OpenNext, an adapter for deploying Next.js apps to Cloudflare Workers, is not directly vulnerable but users must update their Next.js version, with the adapter team releasing a hardened version to address these vectors.
- A table of advisories shows varying WAF mitigation statuses, with some allowing custom rules, others under investigation, and some deemed impossible to block safely without breaking application behavior.