Executive summary (TL;DR)
At a glance
The issue: A critical remote code execution (RCE) vulnerability, dubbed "React2Shell," affects React Server Components and Next.js (CVE-2025-55182).
Severity: 10.0 (Critical).
Status: Active exploitation observed in the wild; public proof-of-concept code is available.
HAProxy protection
HAProxy Enterprise WAF: Customers using the HAProxy Enterprise WAF, powered by the Intelligent WAF Engine, are protected against most attack vectors. Refined rulesets covering remaining edge cases are available.
HAProxy Community Edition: We provide sample ACLs based on best recommendations and known attack vendors.
Immediate action required: If you are running React or Next.js behind HAProxy, update your WAF rulesets immediately and plan to patch your backend applications.
What is CVE-2025-55182 (React2Shell)?
On December 3, 2025, the React team announced a critical security vulnerability in React Server Components (RSC). Identified as CVE-2025-55182 (and covering the now-duplicate CVE-2025-66478), this flaw allows unauthenticated attackers to execute arbitrary JavaScript code on backend servers.
Technical impact:
The vulnerability stems from insecure deserialization within the RSC "Flight" protocol, which is used for client-server communication. By sending a specially crafted HTTP request payload, an attacker can manipulate how React decodes data, influencing server-side execution logic.
Because the flaw exists in the default configuration of affected applications — including those built with standard frameworks like Next.js — deployments are immediately at risk without requiring any developer code changes.
CVSS v3 Score: 10.0 (Critical).
Affected versions:
React: Versions 19.0, 19.1.0, 19.1.1, and 19.2.0.
Next.js: Versions 15.x and 16.x using App Router.
Other Frameworks: Any library bundling the vulnerable react-server implementation (e.g., Waku, RedwoodSDK).
How HAProxy One protects your infrastructure
While patching the upstream application is the ultimate remediation, HAProxy One provides a multi-layered security platform that stops attacks at the edge of your network, providing a critical first line of defense. You can stop the attack before it ever reaches your vulnerable servers.
1. Managed protection with HAProxy Edge
For customers using HAProxy Edge, our managed Application Delivery Network (ADN), no immediate action is required on your part to enable protection. Your traffic is already being filtered through our global network, which is regularly updated with the latest threat intelligence and WAF rulesets. This ensures you have the best protection available while you plan your backend patching strategy.
2. Automatic protection with HAProxy Enterprise WAF
For customers using HAProxy Enterprise WAF only (see below), protection against this exploit is available via our latest rule updates.
Our initial testing confirmed that the HAProxy Enterprise WAF already blocked most identified malicious payloads associated with this vulnerability. To ensure comprehensive coverage, our security team has refined the ruleset to handle specific edge cases derived from global traffic analysis on HAProxy Edge. This threat intelligence, enhanced by machine learning, ensures your protection evolves as fast as the threat landscape.
Action required:
Update your WAF rulesets immediately to ensure you have the latest protections released on December 5th. Follow these instructions to update quickly:
3. Moderate protection with CRS mode (ModSecurity)
For customers using HAProxy Enterprise WAF in the OWASP CRS compatibility mode, or the standalone lb-modsecurity module, protection against this vulnerability depends on your active rule version. This is due to the signature-based approach that the OWASP Core Rule Set provides. We advise customers to use the latest stable CRS v4 ruleset and ensure rules REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-934-APPLICATION-ATTACK-GENERIC, and REQUEST-949-BLOCKING-EVALUATION are enabled.
If you are an HAProxy customer and are unsure about what protections you may have or best practices, please contact support.
Protections with HAProxy Community Edition
Below is a sample configuration for Community Edition users. This is based on best recommendations from the industry and the known attack vectors and is expected to provide reasonable protection, but may not cover all edge cases. We will update this as we learn more.
A basic example of a recommended ACL is provided here:
| frontend www | |
| ... | |
| # ensure buffer request is enabled | |
| option http-buffer-request | |
| # acls to detect react CVE | |
| acl is_form_content req.hdr(Content-Type) -m sub multipart/form-data or req.hdr(Content-Type) -m sub application/x-www-form-urlencoded | |
| acl header_has_cve_2025_55182 req.hdr(next-action) -m found or req.hdr(rsc-action-id) -m found | |
| acl body_has_cve_2025_55182 req.body -m sub -i constructor prototype __proto__ _response: | |
| # take action if cve is detected | |
| http-request deny status 403 if is_form_content header_has_cve_2025_55182 body_has_cve_2025_55182 |
Additional defensive measures
While HAProxy mitigates the immediate risk, we recommend a multi-layered security strategy:
Patch the source: Apply the official fixes immediately. The React team has released versions 19.0.1, 19.1.2, and 19.2.1 to address this issue.
Monitor logs: Watch your HAProxy logs for a spike in HTTP 403 errors, which indicates the WAF is actively blocking exploitation attempts.
Audit your environment: Recent data suggests up to 39% of cloud environments may contain vulnerable instances. Ensure you have identified all public-facing applications running Next.js or React
Conclusion
Vulnerabilities like React2Shell highlight the volatility of the modern threat landscape. With threat actors operationalizing exploits within hours of disclosure, relying solely on patching backend applications leaves a dangerous window of exposure.
HAProxy One provides the robust, multi-layered security needed to “virtually patch” vulnerabilities instantly. By leveraging the intelligence derived from our global traffic, our WAF rulesets evolve in real time to protect your infrastructure.
Next steps
Existing Customers: Update your WAF rulesets now to the version released December 5th.
Evaluate Security: If you want automatic protection against future zero-days, contact us to learn more about HAProxy One.
