Public statement on CVE-2025-55182

Our review shows the affected React packages are present only in non-production amazee.io resources.

We are continuing to monitor for any further issues.

Summary

We are aware of CVE-2025-55182, a critical vulnerability impacting certain versions of React Server Components and Next.js. Our priority is to protect customer workloads while upstream patches are applied.

What we've done

For customers using the Advanced WAF solution provided by amazee.io, we have enabled virtual patching in blocking mode to mitigate exploit attempts while application upgrades proceed. At this time, there is no mitigation available at the CDN layer.

Customer action

If your applications use affected React packages or frameworks (for example, Next.js 15.x or 16.x App Router), upgrade to patched versions as soon as possible per vendor guidance.

* Continue standard secure development practices and monitor your application logs for anomalies.
* Virtual patches reduce risk, but code upgrades remain the definitive fix.

Support

If you have questions about exposure, upgrade paths, or rule coverage, contact our support team through your standard channel.

Our Commitment

Security is central to our mission. We continuously work to strengthen protections, reduce risk, and keep our customers informed.

References

* CVE-2025-55182 record: https://www.cve.org/CVERecord?id=CVE-2025-55182
* React Server Components advisory: https://github.com/advisories/GHSA-fv66-9v8q-g76r
* Next.js advisory: https://github.com/advisories/GHSA-9qr9-h5gf-34mp