Google has warned of a critical vulnerability in React Server Components (CVE-2025-55182) and Next.js that exposes services to remote code execution risks when used for server-side use cases.
The vulnerability affects versions 19 through 19.2.0 of React and 15 through 16 of Next.js. The latest stable version, 19.2.1 of React and the relevant version of Next.js, has already been patched.
To mitigate this vulnerability, Google recommends updating your dependencies to the latest stable versions, deploying a Cloud Armor web application firewall (WAF) rule, and verifying WAF rule safety for your application.
Cloud Armor can be used to deliver and protect applications and services regardless of whether they are deployed on Google Cloud, on-premises, or on another infrastructure provider. To configure Cloud Armor to detect and protect from CVE-2025-55182, you can use a preconfigured WAF rule leveraging the new ruleID.
It’s also recommended to patch your underlying frameworks by updating dependencies to the latest stable versions (React 19.2.1 or the relevant version of Next.js) and redeploying services. This is crucial for eliminating the vulnerability at its source and ensuring the continued integrity and security of your services.
For long-term mitigation, you will need to patch your origin servers as an essential step to eliminate the vulnerability. We will continue to monitor the situation closely and provide further updates and guidance as necessary.
Source: https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182