We collaborated with many industry partners to proactively deploy mitigations due to the severity of the issue.

We still strongly recommend everyone to upgrade their Next, React, and other React meta-frameworks (peer)dependencies immediately.

Does this include any provider that does not fall under USA CLOUD Act? This vulnerability disclosure timeline is a nightmare for us Europeans, it was fully disclosed yesterday late afternoon for us and I can trace back attack logs that happend during the night. I expect some downfalls from this.

I genuinely believe Next.JS is a great framework, but as an European developer working on software that should not touch anything related to CLOUD Act you're just telling me that Next.JS and React, despite being OSS, is not made for me anymore.

It’s infuriating how US-centric some OSS maintainers can be. Really sad if the OOS ecosystem also have to fragment into pieces like much of the internet is starting to.

Does AWS WAF have a mitigation in place?

Yes, AWS WAF rule is in AWSManagedRulesKnownBadInputsRuleSet https://aws.amazon.com/security/security-bulletins/rss/aws-2...

Same for Netlify: https://www.netlify.com/changelog/2025-12-03-react-security-...

and Deno Deploy/Subhosting: https://deno.com/blog/react-server-functions-rce

I patched and rebuilt what I could and added custom Crowdsec WAF rules for this, in case I missed something.