How F5 WAF Mitigates 0-Day CVEs - React2Shell Case Study

Executive Summary 

Zero-day and one-day vulnerabilities continue to challenge organizations, especially when exploits surface publicly before patches are available and widely deployed. React2Shell (CVE-2025-55182) is a recent example that highlights how dangerous it is to depend solely on the application layer for security. 

A Web Application Firewall (WAF) acts as a critical first line of defense, providing virtual patching, rapid mitigation, and resilience against evolving exploit variants.  

F5 WAFs include generic attack signatures that are not tied to a specific CVE. Instead, these signatures are designed to detect entire classes of attack behavior, often blocking malicious requests attempting to exploit a vulnerability even before a dedicated CVE signature exists, providing meaningful protection against zero-day threats. 

Furthermore, when a new vulnerability emerges, WAF protections usually can be updated far faster than application code, allowing organizations valuable time to patch safely. 

Modern threat actors rely heavily on encoding tricks and obfuscation. Robust normalization ensures the WAF evaluates both encoded and decoded payloads, preventing trivial bypasses that target naive pattern-matching. 

 

Figure 1: Example payload used to exploit CVE-2025-55182

 

React2Shell Exploitation  

React2Shell demonstrates just how quickly threat actors can weaponize a public proof-of-concept. Following disclosure, the security community saw rapid exploitation attempts from big scale threat actors, multiple vendors racing to release WAF signatures, and a surge of bypass techniques being shared online. 

This wave of activity showcased the crucial role WAFs play in modern web defense, providing organizations with valuable time to patch and deploy fixes. 

F5 Security Research Team responded immediately by releasing dedicated CVE signatures for the F5 Application Delivery and Security Platform (ADSP), including 200204050 and 200204048 for CVE-2025-55182 (the original RCE), as well as additional protections for the follow-up vulnerabilities: 200012097 for CVE-2025-55184 (Denial of Service) and 200009348 for CVE-2025-55183 (Server Function Code Exposure). These signatures were complemented by targeted threat campaigns to block exploitation as soon as evidence for in-the-wild exploitations started appearing. 

 

Why Generic Attack Signatures Matter  

CVE-specific signatures are designed to block a particular exploit as precisely and accurately as possible, minimizing false positives. However, developing, testing, and deploying these signatures takes time, and when an attack is actively unfolding, every second matters. Can applications be inherently protected? In many cases, yes. 

All WAFs in the F5 ADSP include a broad set of generic attack signatures that defend against entire classes of attacks, such as server-side code injection, command execution, XSS, SQL injection, and more. 

For example, attempts to exploit the React2Shell vulnerability using publicly available proof-of-concepts are blocked by existing Server-Side Code Injection signatures, as the exploit relies on injecting malicious code into _response._formData.get, which effectively results in this code being executed due to the way the vulnerability works. 

Specifically, the request shown in Figure 1 is blocked by signature 200004208 (JavaScript Code Injection – require()) and signature 200104636 (Node.js Code Injection – execSync), even in the absence of a dedicated CVE signature. 

While it is impossible to anticipate every mutation or variation of code injection attacks, these generic signatures provide a strong first line of defense and buy you valuable time to deploy targeted protections and apply software patches safely. 

 

WAF Bypasses Encountered in the Wild 

Throughout the React2Shell research, the security community explored a wide range of WAF bypass techniques. These discussions sparked broader questions about whether WAFs can truly provide effective, real-time protection in the face of rapidly evolving exploit methods. 

Encoding-Based Bypasses 

Some WAF bypasses included the usage of different encodings, for example JSON encodings to bypass straightforward rules without normalizations. 

F5’s WAFs use extra normalizations that run rules logic on encoded and decoded payloads to prevent similar bypasses and ensure strict validation of the data sent to the app. 

Figure 2: Example payload tested against vulnerable app, achieving RCE

Oversized Requests (Payload at the Tail End) 

Some bypass attempts used extremely large HTTP requests, embedding the malicious payload near the end. 
This can overwhelm WAFs with limited buffers or insufficient streaming logic. 

F5 Advanced WAF mitigates this through: 

• Illegal Request Length violation, defined in security policy. 

• Request length exceeds defined buffer size violation (default 10 MB, configurable). 

When this violation triggers, the request is dropped before reaching the application, effectively stopping the bypass technique. 

 

UTF-16LE / UCS-2 Payload Encodings 

Researchers also experimented with injecting payloads encoded in multi-byte formats to break naive pattern-matching rules. 

F5 WAF’s additional normalization layers ensure that such payloads are properly evaluated and blocked when malicious. As a result, a malicious request (see Figure 3) is blocked by the new Next.js RSC Remote Code Execution signature (ID 200204050) just as it would be if sent in its normal form, thanks to strictly enforced normalization. 

Figure 3: malicious payload containing multi-byte encodings

 

Conclusions 

React2Shell is a strong reminder that application-layer security alone is not enough. 

WAFs provide critical, rapid mitigation, especially against 0-days and 1-days where exploit code becomes public before patches are widely deployed. 

To verify your WAF's efficacy, check for encoding tricks, oversized payloads, variant obfuscations and simple logic tricks that sign things that are not really necessary for the attack.  

Equally important is the presence of framework-specific generic signatures capable of detecting malicious behavior independent of a specific CVE.