Cloudflare has deployed a new security rule to protect against a critical vulnerability in React Server Components (RSC). This fix is automatic and applies to all Cloudflare customers, regardless of their plan, as long as their React application traffic is proxied through the Web Application Firewall (WAF).
The vulnerability affects several popular React frameworks, including Next.js, which can be exploited remotely. However, Cloudflare Workers are not affected by this exploit.
To ensure full protection, we recommend updating to the latest version of React 19.2.1 and the latest versions of Next.js (16.0.7, 15.5.7, 15.4.8). Additionally, customers on Professional, Business, or Enterprise plans should enable Managed Rules by following these steps.
The new protection was deployed at 5:00 PM GMT on Tuesday, December 2, 2025, and so far, we have not observed any attempted exploit. Our security team will continue to monitor for potential attack variations and update our protections as necessary to secure all traffic proxied via Cloudflare.
Source: https://blog.cloudflare.com/waf-rules-react-vulnerability