Cloudflare has implemented a new protection strategy to address a critical Remote Code Execution (RCE) vulnerability in React Server Components affecting applications using React and its frameworks like Next.js and React Router. This vulnerability, identified in React versions 19.0 to 19.2 and Next.js versions 15 through 16, involves insecure deserialization of malicious requests. To safeguard users, Cloudflare has introduced new rules across its network with a default action set to block, protecting all customers whose traffic is routed through its Web Application Firewall (WAF). While Cloudflare Workers are not affected by this exploit, all users are urged to update to the latest versions of React and Next.js for additional security. The deployment of these rules is part of Cloudflare's ongoing effort with security partners to monitor and adapt to potential attack variations, ensuring robust protection for all proxied traffic.