WAF – WAF Release – 2025-12-03 – Emergency

Written by

The WAF rule deployed yesterday to block unsafe deserialization-based RCE has been updated. The rule description now reads “React – RCE – CVE-2025-55182”, explicitly mapping to the recently disclosed React Server Components vulnerability. Detection logic remains unchanged.

Key Findings

Rule description updated to reference React – RCE – CVE-2025-55182 while retaining existing unsafe-deserialization detection.

Impact

Improved classification and traceability with no change to coverage against remote code execution attempts.

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Managed Ruleset	33aa8a8a948b48b28d40450c5fb92fba	N/A	React – RCE – CVE:CVE-2025-55182	N/A	Block	Rule metadata description changed. Detection unchanged.
Cloudflare Free Ruleset	2b5d06e34a814a889bee9a0699702280	N/A	React – RCE – CVE:CVE-2025-55182	N/A	Block	Rule metadata description changed. Detection unchanged.

WAF – WAF Release – 2025-12-03 – Emergency

Comments

Leave a Reply Cancel reply

More posts

Workers – Track Dynamic Workers usage from the dashboard and GraphQL API

Data Loss Prevention – Define custom topics for AI prompt protection

Cloudflare Images – Manage hosted images with the Images binding

DNS – Account-level DNS records quota