This post discusses a recent discovery of remote code execution (RCE) exploits that also include methods to bypass Web Application Firewalls (WAFs), specifically Cloudflare's WAF. The vulnerabilities mentioned are CVE-2025-55182 affecting Next.js through server action RCE achieved via prototype pollution, and CVE-2025-9501 affecting WordPress's W3 Total Cache plugin versions 2.0.x through 2.8.12. Importantly, the Next.js exploit not only allows for remote code execution but also includes a technique to bypass Cloudflare's WAF, which is known for protecting web applications from various attacks. This bypass is significant because it enables exploitation despite Cloudflare's security layers, highlighting a critical security gap. Prototype pollution is a technique where the attacker manipulates the prototype of a base object, potentially allowing execution of arbitrary code in server actions. The integration of the bypass within the exploit means attackers can evade detection and filters that Cloudflare WAF normally enforces, making the attack more effective. This situation illustrates the ongoing arms race between attackers developing new methods to bypass security measures and defenders improving WAF rules and filters. Website administrators using Next.js and protected by Cloudflare should urgently review and patch these vulnerabilities. Likewise, WordPress users with W3 Total Cache should also apply updates or mitigations for CVE-2025-9501. Continuous monitoring and updating of WAF rules are crucial to counter these sophisticated bypass attempts.
Check out the original tweet here: https://twitter.com/vasanth_sreeram/status/2033722463750918407