Overview of CVE 2025-55182:

The flaw stems from an unsafe deserialization issue in the RSC "Flight" protocol, allowing attackers to execute arbitrary code on the server simply by sending a malicious HTTP request. Additionally, there’s a parallel CVE referred to as CVE-2025-66478 which has been rejected by NIST as it is a duplicate of the upstream CVE 2025-55182. 

NetScaler products are not impacted by CVE 2025-55182. Customers using NetScaler ADC, Gateway, and other NetScaler solutions DO NOT need to update their NetScaler infrastructure.   

NetScaler WAF Update v166 

In addition to being unaffected by CVE 2025-55182, NetScaler customers benefit from an additional layer of security through the NetScaler Web Application Firewall (WAF). NetScaler WAF includes up-to-date security signatures that can help detect and block exploit attempts related to CVE 2025-55182. These signatures can be used to protect a customer’s applications which may be vulnerable to CVE 2025-55182.  

NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 12.1, 13.0, 13.1 and 14.1. 

NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. 

If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 165 or later and then follow these steps. 

1. Search your signatures for 998201 

2. Select the results with ID  

3. Choose “Enable Rules” and click OK 

A critical vulnerability, CVE-2025-55182, known as “React2Shell”, has been identified in React Server Components (RSC). This flaw carries a CVSS score of 10.0, making it a severe unauthenticated remote code execution (RCE) risk for applications built on React.

NetScaler products are not impacted by CVE-2025-55182.

NetScaler has released version 166 of its WAF signature to detect and block exploit attempts targeting React2Shell.