zlacker

> Projects hosted on Vercel benefit from platform-level protections that already block malicious request patterns associated with this issue.

https://vercel.com/changelog/cve-2025-55182

> Cloudflare WAF proactively protects against React vulnerability

https://blog.cloudflare.com/waf-rules-react-vulnerability/

>>karimf+(OP)
We collaborated with many industry partners to proactively deploy mitigations due to the severity of the issue.

We still strongly recommend everyone to upgrade their Next, React, and other React meta-frameworks (peer)dependencies immediately.

>>karimf+(OP)
Same for Netlify: https://www.netlify.com/changelog/2025-12-03-react-security-...

and Deno Deploy/Subhosting: https://deno.com/blog/react-server-functions-rce

>>Rauchg+I
Does AWS WAF have a mitigation in place?

>>karimf+(OP)
I patched and rebuilt what I could and added custom Crowdsec WAF rules for this, in case I missed something.

>>semiqu+ge
Yes, AWS WAF rule is in AWSManagedRulesKnownBadInputsRuleSet https://aws.amazon.com/security/security-bulletins/rss/aws-2...

>>Rauchg+I
Does this include any provider that does not fall under USA CLOUD Act? This vulnerability disclosure timeline is a nightmare for us Europeans, it was fully disclosed yesterday late afternoon for us and I can trace back attack logs that happend during the night. I expect some downfalls from this.

I genuinely believe Next.JS is a great framework, but as an European developer working on software that should not touch anything related to CLOUD Act you're just telling me that Next.JS and React, despite being OSS, is not made for me anymore.

>>vanwal+4h3
It’s infuriating how US-centric some OSS maintainers can be. Really sad if the OOS ecosystem also have to fragment into pieces like much of the internet is starting to.