Added virtual patch for CVE-2025-55184 (React DoS, also covers CVE-2025-67779)
A Denial of Service vulnerability has been found in React and has been assigned CVE-2025-55184. The fix addressing this CVE was incomplete, and a subsequent one was assigned CVE-2025-67779. Fastly has created a virtual patch that covers both CVEs and it is now enabled by default with immediate blocking for all Next-Gen WAF customers. To deactivate it and remove this protection from your services, follow the steps for your control panel below.
Next-Gen WAF control panel
- Professional or Premier platform
- Essentials platform
- Log in to the Next-Gen WAF control panel.
- From the Sites menu, select a site if you have more than one site.
- From the Rules menu, select Templated Rules.
- In the search bar, enter
CVE-2025-55184and then click View for the CVE-2025-55184 templated rule. - Click Configure and then deselect the “Enabled” box under the "Configure thresholds and actions” section.
- Click Update rule.
Fastly control panel
- Log in to the Fastly control panel.
- Go to Security > Next-Gen WAF > Workspaces.
- Click Virtual Patches.
- In the search bar, enter
CVE-2025-55184and then click the pencil to the right of the CVE-2025-55184 virtual patch. - From the Status menu, select Disabled.
- Click Update virtual patch.
