Cloudflare has introduced new security measures to tackle a serious vulnerability in React Server Components. This issue affects versions 19.0, 19.1, and 19.2 of React, as well as Next.js versions 15 through 16. The vulnerability, classified as a Remote Code Execution (RCE) risk with a CVSS score of 10.0, allows malicious requests to be deserialized insecurely, leading to potential exploits. Customers using Cloudflare's Web Application Firewall (WAF) are automatically protected, whether they are on free or paid plans, as long as their React application traffic goes through Cloudflare. The Cloudflare security team has implemented new rules that block harmful traffic. These rules are part of both the Free Managed Ruleset and the standard Managed Ruleset available to paying users. Customers on Professional, Business, or Enterprise plans need to ensure that Managed Rules are activated, while Free plan users have these protections enabled by default. The recommended action is to update to React version 19.2.1 and the latest Next.js versions—16.0.7, 15.5.7, or 15.4.8—to mitigate any risk further. The new rules went live on December 2, 2025, at 5:00 PM GMT. Since their deployment, no attempts to exploit this vulnerability have been reported. Cloudflare is actively monitoring for any potential attack variations and plans to refine its protections as needed, collaborating with security partners to identify and counter various attack patterns.