{"id":446,"date":"2026-05-07T12:00:00","date_gmt":"2026-05-07T12:00:00","guid":{"rendered":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/05\/07\/workers-waf-waf-and-framework-adapter-mitigations-for-react-and-next-js-vulnerabilities\/"},"modified":"2026-05-07T12:00:00","modified_gmt":"2026-05-07T12:00:00","slug":"workers-waf-waf-and-framework-adapter-mitigations-for-react-and-next-js-vulnerabilities","status":"publish","type":"post","link":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/05\/07\/workers-waf-waf-and-framework-adapter-mitigations-for-react-and-next-js-vulnerabilities\/","title":{"rendered":"Workers, WAF – WAF and framework adapter mitigations for React and Next.js vulnerabilities"},"content":{"rendered":"

Multiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of service, middleware and proxy bypass, server-side request forgery, cross-site scripting, and cache poisoning issues across a range of severity levels.<\/p>\n

We strongly recommend updating your application and its dependencies immediately.<\/strong> Patched versions are available for React (react-server-dom-webpack<\/code>, react-server-dom-parcel<\/code>, and react-server-dom-turbopack<\/code> 19.0.6<\/code>, 19.1.7<\/code>, and 19.2.6<\/code>) and Next.js (15.5.16<\/code> and 16.2.5<\/code>).<\/p>\n

WAF protections<\/h4>\n

Cloudflare WAF rules deployed in response to prior React Server Component CVEs (CVE-2025-55184<\/code><\/a> and CVE-2026-23864<\/code><\/a>) already provide coverage for the newly disclosed denial-of-service vulnerabilities. These rules are enabled by default with a Block action for all customers using the Cloudflare Managed Ruleset, including Free plan customers using the Free Managed Ruleset.<\/p>\n\n\n\n\n\n\n
Ruleset<\/th>\nRule description<\/th>\nRule ID<\/th>\nDefault action<\/th>\n<\/tr>\n<\/thead>\n
Cloudflare Managed Ruleset<\/td>\nReact – DoS – CVE-2025-55184<\/code><\/a><\/td>\n2694f1610c0b471393b21aef102ec699<\/code><\/td>\nBlock<\/td>\n<\/tr>\n
Cloudflare Managed Ruleset<\/td>\nReact – DoS – CVE-2026-23864<\/code><\/a><\/td>\naaede80b4d414dc89c443cea61680354<\/code><\/td>\nBlock<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The existing rules detect the underlying attack patterns generically. As a result, they apply to the new CVE-2026-23870<\/code><\/a> denial-of-service vulnerability in Server Components and the corresponding Next.js advisory GHSA-8h8q-6873-q5fj<\/code><\/a>.<\/p>\n

Cloudflare is investigating whether WAF rules can be safely and effectively deployed for three of the high-severity advisories: CVE-2026-23870<\/code><\/a> \/ GHSA-8h8q-6873-q5fj<\/code><\/a>, GHSA-267c-6grr-h53f<\/code><\/a>, and GHSA-mg66-mrh9-m8jx<\/code><\/a>. If it is possible to create a managed WAF rule that mitigates these CVEs and does not potentially break application behavior, Cloudflare will add additional managed WAF rules. These rules will be announced through the WAF changelog<\/a>. Because these vulnerabilities were shared with Cloudflare with minimal advance notice, we are still investigating what WAF mitigations are possible.<\/p>\n

Several of the disclosed vulnerabilities are not possible to block in WAF. We strongly recommend updating your applications so they are not purely reliant on WAF mitigations.<\/p>\n

Customers on Pro, Business, or Enterprise plans should ensure that Managed Rules are enabled<\/a>.<\/p>\n

Next.js adapters<\/h4>\n

Vinext:<\/strong> Vinext<\/a> is a Vite plugin that reimplements the Next.js API surface. Vinext’s latest release is not vulnerable to any of the disclosed CVEs. Vinext’s architecture differs from stock Next.js in ways that sidestep the affected code paths. For example, it does not implement the PPR resume protocol, does not expose Pages Router data-route endpoints, and strips internal headers such as x-nextjs-data<\/code> at request boundaries. As an extra layer of defense, we added a React 19.2.6<\/code> or later requirement when running vinext init<\/code> (PR #1118<\/a>, PR #1112<\/a>) to prevent accidentally running a vulnerable version of React with Vinext.<\/p>\n

OpenNext on Cloudflare:<\/strong> OpenNext is an adapter that lets you deploy Next.js apps to the Cloudflare Workers platform. OpenNext itself is not directly vulnerable to the React denial-of-service CVE, but users must update the Next.js version in their application. The OpenNext team has updated the adapter to further harden against these vectors and released a new version of the Cloudflare adapter. Test fixtures and examples have been updated to use patched versions (PR #1255<\/a>).<\/p>\n

Summary of disclosed vulnerabilities<\/h4>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Advisory<\/th>\nSeverity<\/th>\nIssue<\/th>\nWAF status<\/th>\n<\/tr>\n<\/thead>\n
CVE-2026-23870<\/code><\/a> \/ GHSA-8h8q-6873-q5fj<\/code><\/a><\/td>\nHigh<\/td>\nDenial of service in Server Components<\/td>\nWAF rules in place:<\/strong> 2694f1610c0b471393b21aef102ec699<\/code>, aaede80b4d414dc89c443cea61680354<\/code>
Cloudflare is investigating additional managed WAF coverage<\/td>\n<\/tr>\n
GHSA-267c-6grr-h53f<\/code><\/a><\/td>\nHigh<\/td>\nMiddleware bypass via segment-prefetch routes<\/td>\nCloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule<\/td>\n<\/tr>\n
GHSA-mg66-mrh9-m8jx<\/code><\/a><\/td>\nHigh<\/td>\nDenial of service via connection exhaustion in Cache Components<\/td>\nCloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule<\/td>\n<\/tr>\n
GHSA-492v-c6pp-mqqv<\/code><\/a><\/td>\nHigh<\/td>\nMiddleware bypass via dynamic route parameter injection<\/td>\nNot possible to safely enable a managed WAF rule without potentially breaking application behavior<\/td>\n<\/tr>\n
GHSA-c4j6-fc7j-m34r<\/code><\/a><\/td>\nHigh<\/td>\nSSRF via WebSocket upgrades<\/td>\nNot possible to safely enable a managed WAF rule without potentially breaking application behavior<\/td>\n<\/tr>\n
GHSA-36qx-fr4f-26g5<\/code><\/a><\/td>\nHigh<\/td>\nMiddleware bypass in Pages Router i18n<\/td>\nCustom WAF rule possible; global managed rule could potentially break application behavior<\/td>\n<\/tr>\n
GHSA-ffhc-5mcf-pf4q<\/code><\/a><\/td>\nModerate<\/td>\nXSS via CSP nonces<\/td>\nCustom WAF rule possible; global managed rule could potentially break application behavior<\/td>\n<\/tr>\n
GHSA-gx5p-jg67-6x7h<\/code><\/a><\/td>\nModerate<\/td>\nXSS in beforeInteractive<\/code> scripts<\/td>\nNot possible to safely enable a managed WAF rule without potentially breaking application behavior<\/td>\n<\/tr>\n
GHSA-h64f-5h5j-jqjh<\/code><\/a><\/td>\nModerate<\/td>\nDenial of service in Image Optimization API<\/td>\nCustom WAF rule possible; global managed rule could potentially break application behavior<\/td>\n<\/tr>\n
GHSA-wfc6-r584-vfw7<\/code><\/a><\/td>\nModerate<\/td>\nCache poisoning in RSC responses<\/td>\nCustom WAF rule possible; global managed rule could potentially break application behavior<\/td>\n<\/tr>\n
GHSA-vfv6-92ff-j949<\/code><\/a><\/td>\nLow<\/td>\nCache poisoning via RSC cache-busting collisions<\/td>\nNot possible to safely enable a managed WAF rule without potentially breaking application behavior<\/td>\n<\/tr>\n
GHSA-3g8h-86w9-wvmq<\/code><\/a><\/td>\nLow<\/td>\nMiddleware redirect cache poisoning<\/td>\nCustom WAF rule possible; global managed rule could potentially break application behavior<\/td>\n<\/tr>\n<\/tbody>\n<\/table>","protected":false},"excerpt":{"rendered":"

Multiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of service, middleware and proxy bypass, server-side request forgery, cross-site scripting, and cache poisoning issues across a range of severity levels. We strongly recommend updating your application and its dependencies immediately. Patched versions are available […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-446","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/comments?post=446"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/446\/revisions"}],"wp:attachment":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/media?parent=446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/categories?post=446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/tags?post=446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}