Mitigate CVE-2025-55182 and CVE-2025-66478 using Avi Web Application Firewall (WAF)

• This is very React specific attack payload, existing Avi WAF CRS (Core Rule Set) rules not protect against it.
• The recommended protection is to install the updates provided by the vendor. With the severity of 10 even if the Avi WAF CRS Customer Rule is used to protect the Application, we still recommend to update as soon as possible.
• Avi WAF can protect from the attack by filtering known attack vectors using the custom PRE-CRS rule provided below
• Please follow the below steps to configure custom CRS rule to block the attack using Avi WAF
  
  1. From the Avi Load Balancer UI, navigate to Templates > WAF > WAF Policy
  2. Click Create Or Edit an existing WAF Policy
  3. Enter the required details under the Configuring WAF Policy
  4. Click the Signatures tab
  
  
  
  5. Add Pre-CRS rules click Create Group
  
  
  
  6. Create Rule1 and Rule2
  6.1 Set Rule name
  6.2 Select the Rule Mode:  Enforcement
  6.3 Enter the Rule in the text box. The Rule is specified in Modsec language
  
  
  
  6.3.1 Rule1: To Detect whether the request contains certain React-related action headers → mark the request as a React action
  
  

  SecRule REQUEST_HEADERS:Next-Action|REQUEST_HEADERS:rsc-action-id "@unconditionalMatch" \
      "id:4099870,\
      phase:1,\
      pass,\
      nolog,\
      t:none,\
      setvar:tx.is_react_action=1,\
      ctl:RequestBodyAccess=On"

  
  6.3.2 Rule2: If the request is a React action, inspect the request body/arguments for dangerous keywords. If found → block the request.

  SecRule TX:is_react_action "@eq 1" \
      "id:4099871,\
      phase:2,\
      block,\
      msg:'React CVE-2025-55182 Exploit Attempt',\
      severity:CRITICAL,\
      chain"
      SecRule ARGS|REQUEST_BODY "@rx \b(?:__proto__|constructor|prototype|child_process|vm|fs)\b" \
          "t:none, t:urlDecodeUni, t:lowercase"