Added virtual patch for CVE-2025-55183 (React Leaking Server Functions)
A Leak of Server Functions has been found in React and has been assigned CVE-2025-55183. Fastly has created a virtual patch and it is now enabled by default with immediate blocking for all Next-Gen WAF customers. To deactivate it and remove this protection from your services, follow the steps for your control panel below.
Next-Gen WAF control panel
- Professional or Premier platform
- Essentials platform
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
- From the Rules menu, select Templated Rules.
- In the search bar, enter
CVE-2025-55183and then click View for the CVE-2025-55183 templated rule. - Click Configure and then deselect the “Enabled” box under the "Configure thresholds and actions” section.
- Click Update rule.
Fastly control panel
Log in to the Fastly control panel.
Go to Security > Next-Gen WAF > Workspaces.
- Click Virtual Patches.
- In the search bar, enter
CVE-2025-55183and then click the pencil to the right of the CVE-2025-55183 virtual patch. - From the Status menu, select Disabled.
- Click Update virtual patch.
Prior change: CVE-2025-55182 virtual patch enabled by default
Following change: Added virtual patch for CVE-2025-55184 (React DoS)
