Two newly disclosed critical remote code execution (RCE) vulnerabilities—CVE-2025-55182 and CVE-2025-66478—pose a serious threat to applications built on React and Next.js. These flaws allow attackers to execute arbitrary code on vulnerable systems, which can lead to application compromise, unauthorized access and potential data loss.
Why these matter
Exploitation requires no authentication, giving threat actors a fast track to take control of applications, steal sensitive data or disrupt critical services. With React and Next.js powering countless customer-facing and internal apps, the attack surface is substantial—and the risk is immediate. Organizations without robust protections are highly exposed.
Barracuda Application Protection—Recommendations
As part of Barracuda Application Protection, Barracuda Web Application Firewall (WAF) and Barracuda WAF-as-a-Service provide automatic protection against remote code execution attacks such as the ones presented by these vulnerabilities. Security updates are regularly pushed for all customers running versions 12.1, 12.2 and GA supported by Barracuda’s cloud-based threat intelligence, which delivers real-time defense through signature updates and active detection.
For customers who have react-server-dom* (19.0.0, 19.1.0, 19.1.1, and 19.2.0) or Next.js (16.0.7, 15.5.7 and 15.4.8) present in their environment, we strongly recommend following the guidance in these Barracuda Campus articles, which will be updated as new information becomes available:
- https://campus.barracuda.com/product/webapplicationfirewall/doc/788704332/cve-2025-55182-react-next-js-remote-code-execution-vulnerabilities/
- https://campus.barracuda.com/product/loadbalanceradc/doc/788617632/cve-2025-55182-react-next-js-remote-code-execution-vulnerabilities/
- https://campus.barracuda.com/product/WAAS/doc/788639261/cve-2025-55182-react-next-js-remote-code-execution-vulnerabilities/
All customers should review their application inventory to identify any use of React or Next.js with React Server Components. Along with that, update to the latest versions of React (19.2.1) and Next.js (16.0.7, 15.5.7 and 15.4.8).
For environments not using the vulnerable React or Next.js versions, no further action is needed at this time.
Our commitment
Barracuda remains committed to helping organizations stay resilient against evolving threats.
Barracuda Application Protection provides:
- Automatic safeguards: Instantly blocks malicious payloads designed to exploit React and Next.js vulnerabilities.
- Layered defenses: Combines signature-based detection, behavioral analysis and AI-driven threat intelligence to stop RCE attempts.
- Continuous updates: Real-time signature updates through Barracuda’s global threat intelligence network—no manual intervention required.
- Ease of use: Centralized visibility and control through the BarracudaONE cybersecurity platform, ensuring strong defenses without added complexity.
Whether it’s email, network or application security, our unified platform approach ensures customers and partners can operate with confidence—even as attackers target new vulnerabilities.
Photo: babar ali 1233 / Shutterstock
This post originally appeared on Smarter MSP.