03 December 2025, 16:21 UTC

The Fastly Security Team, in coordination with Vercel, AWS, Next.js, and Meta, are issuing this urgent security advisory regarding a newly discovered, critical vulnerability in the React framework. The Next.js CVE-2025-66478 and React CVE-2025-55182 were published today, the 3rd of December 2025 at 15:54 UTC.

What Happened

On the 1st of December 2025, Vercel notified Fastly of a critical-severity unauthenticated Remote Code Execution (RCE) vulnerability that was responsibly disclosed to Meta, affecting React’s “Server Function" protocol. 

The vulnerability impacts applications utilizing React Server Components (RSC) functionality via the following common frameworks/plugins:

• Next.js versions 15 and 16 (when using App Router)
• React Router RSC preview
• Parcel RSC plugin
• Vite RSC plugin

As of this notification, Fastly does not have knowledge or evidence of this vulnerability being exploited in the wild.

However, some customers running workloads using Fastly Compute, specifically those using the affected React versions and RSC implementations listed above, may be at risk. We encourage all Compute customers to refer to the identification and mitigation steps described in the next section.

What You Can Do 

Next-Gen WAF (NGWAF)

To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-66478 (which also addresses CVE-2025-55182) to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of this CVE. Fastly’s Security Research team developed and tested this content in close collaboration with Vercel and AWS. 

Compute

To mitigate risk for Compute Services, we recommend that you take the following steps: 

Inventory and Identification: Identify all applications within your environment that are using the affected React versions (19.0, 19.1, and 19.2) in conjunction with any of the listed RSC implementations: 

• Next.js 15, 15.1, 15.2, 15.3, 15.4, 15.5, 16 
• App Router
• React Router RSC preview
• Parcel RSC plugin
• Vite RSC plugin. 

One method for identification is to perform a targeted search across your codebase for the relevant package dependencies in the package.json file.  Efficient methods include: 

• GitHub/Code Search: Use tools like GitHub's code search functionality.
• Command-Line Tools: Use grep or similar tools for local/private repositories.

Patching and Deployment: The affected React versions are 19.0, 19.1, and 19.2. Immediately deploy the official, stable patched versions released today, the 3rd of December 2025. The React 19 patch will be published for 19.2. The affected Next.js versions are 15 through 16, and patches will be published for versions 15, 15.1, 15.2, 15.3, 15.4, 15.5, and 16.

What We Did Immediately

Fastly initiated an internal investigation for our core platform infrastructure and has found no indication that we are directly vulnerable as of the date of this advisory. This includes our Compute platform itself; as described earlier, due to Compute’s sandboxed architecture, any apps that are not vulnerable to this bug will be protected even if neighboring apps are malicious or compromised. 

In close partnership with Vercel, AWS, and Meta, our security research team began developing NGWAF content ahead of disclosure to provide protection for our customers as soon as the patch is applied. Fastly is currently investigating additional ways we can detect and block attack traffic as a result of this announced vulnerability. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts. 

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.