Barracuda Application Protection safeguards against critical React and Next.js vulnerabilities

Mitigating critical React and Next.js remote code execution (RCE) threats with Barracuda Application Protection

Takeaways

• Two recent RCE vulnerabilities allow unauthenticated exploitation in certain customer-facing or internal applications.
• Customers running React Server Components (19.0.0–19.2.0) or specific Next.js versions must update immediately and should review Barracuda Campus guidance.
• Barracuda Application Protection provides proactive defense through signature-based detection, behavioral analysis and AI-driven threat intelligence—requiring no manual intervention.
• BarracudaONE offers centralized visibility and layered defenses across email, network and application security, ensuring resilience against evolving threats.

Two newly disclosed critical remote code execution (RCE) vulnerabilities—CVE-2025-55182 and CVE-2025-66478—pose a serious threat to applications built on React and Next.js. These flaws allow attackers to execute arbitrary code on vulnerable systems, which can lead to application compromise, unauthorized access and potential data loss.  

Why these matter 

Exploitation requires no authentication, giving threat actors a fast track to take control of applications, steal sensitive data or disrupt critical services. With React and Next.js powering countless customer-facing and internal apps, the attack surface is substantial—and the risk is immediate. Organizations without robust protections are highly exposed.  

Barracuda Application Protection—Recommendations

As part of Barracuda Application Protection, Barracuda Web Application Firewall (WAF) and Barracuda WAF-as-a-Service provide automatic protection against remote code execution attacks such as the ones presented by these vulnerabilities. Security updates are regularly pushed for all customers running versions 12.1, 12.2 and GA supported by Barracuda’s cloud-based threat intelligence, which delivers real-time defense through signature updates and active detection. 

For customers who have react-server-dom* (19.0.0, 19.1.0, 19.1.1, and 19.2.0) or Next.js (16.0.7, 15.5.7 and 15.4.8) present in their environment, we strongly recommend following the guidance in these Barracuda Campus articles, which will be updated as new information becomes available:

• https://campus.barracuda.com/product/webapplicationfirewall/doc/788704332/cve-2025-55182-react-next-js-remote-code-execution-vulnerabilities/
• https://campus.barracuda.com/product/loadbalanceradc/doc/788617632/cve-2025-55182-react-next-js-remote-code-execution-vulnerabilities/
• https://campus.barracuda.com/product/WAAS/doc/788639261/cve-2025-55182-react-next-js-remote-code-execution-vulnerabilities/

We advise all customers to review their application inventory to identify any use of React or Next.js with React Server Components, and update to the latest versions of React (19.2.1) and Next.js (16.0.7, 15.5.7 and 15.4.8).

For environments not using the vulnerable React or Next.js versions, no further action is needed at this time.  

Our commitment

Barracuda remains committed to helping organizations stay resilient against evolving threats.  
 
Barracuda Application Protection provides:

• Automatic safeguards: Instantly blocks malicious payloads designed to exploit React and Next.js vulnerabilities.
• Layered defenses: Combines signature-based detection, behavioral analysis and AI-driven threat intelligence to stop RCE attempts.
• Continuous updates: Real-time signature updates through Barracuda’s global threat intelligence network—no manual intervention required.
• Ease of use: Centralized visibility and control through the BarracudaONE cybersecurity platform, ensuring strong defenses without added complexity.

Whether it’s email, network or application security, our unified platform approach ensures customers and partners can operate with confidence—even as attackers target new vulnerabilities.