03 December 2025, 16:21 UTC

The Fastly Security Team, in coordination with Vercel, AWS, Next.js, and Meta, are issuing this urgent security advisory regarding a newly discovered, critical vulnerability in the React framework. The Next.js CVE-2025-66478 and React CVE-2025-55182 were published today, the 3rd of December 2025 at 15:54 UTC.

What Happened

On the 1st of December 2025, Vercel notified Fastly of a critical-severity unauthenticated Remote Code Execution (RCE) vulnerability that was responsibly disclosed to Meta, affecting React’s “Server Function" protocol. 

The vulnerability impacts applications utilizing React Server Components (RSC) functionality via the following common frameworks/plugins:

• Next.js versions 15 and 16 (when using App Router)
• React Router RSC preview
• Parcel RSC plugin
• Vite RSC plugin

As of this notification, Fastly does not have knowledge or evidence of this vulnerability being exploited in the wild.

However, some customers running workloads using Fastly Compute, specifically those using the affected React versions and RSC implementations listed above, may be at risk. We encourage all Compute customers to refer to the identification and mitigation steps described in the next section.

What You Can Do 

Next-Gen WAF (NGWAF)

To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-66478 (which also addresses CVE-2025-55182) to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of this CVE. Fastly’s Security Research team developed and tested this content in close collaboration with Vercel and AWS. 

Compute

To mitigate risk for Compute Services, we recommend that you take the following steps: 

Inventory and Identification: Identify all applications within your environment that are using the affected React versions (19.0, 19.1, and 19.2) in conjunction with any of the listed RSC implementations: 

• Next.js 15, 15.1, 15.2, 15.3, 15.4, 15.5, 16 
• App Router
• React Router RSC preview
• Parcel RSC plugin
• Vite RSC plugin. 

One method for identification is to perform a targeted search across your codebase for the relevant package dependencies in the package.json file.  Efficient methods include: 

• GitHub/Code Search: Use tools like GitHub's code search functionality.
• Command-Line Tools: Use grep or similar tools for local/private repositories.

Patching and Deployment: The affected React versions are 19.0, 19.1, and 19.2. Immediately deploy the official, stable patched versions released today, the 3rd of December 2025. The React 19 patch will be published for 19.2. The affected Next.js versions are 15 through 16, and patches will be published for versions 15, 15.1, 15.2, 15.3, 15.4, 15.5, and 16.

What We Did Immediately

Fastly initiated an internal investigation for our core platform infrastructure and has found no indication that we are directly vulnerable as of the date of this advisory. This includes our Compute platform itself; as described earlier, due to Compute’s sandboxed architecture, any apps that are not vulnerable to this bug will be protected even if neighboring apps are malicious or compromised. 

In close partnership with Vercel, AWS, and Meta, our security research team began developing NGWAF content ahead of disclosure to provide protection for our customers as soon as the patch is applied. Fastly is currently investigating additional ways we can detect and block attack traffic as a result of this announced vulnerability. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts. 

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

05 December 2025, 22:56 UTC

Following further investigation and evaluation of the React2Shell vulnerability, and in response to widespread exploitation attempts, Fastly is implementing a default block for requests matching the attack signatures within NGWAF.

This action provides our NGWAF customers with enhanced defence against this emerging and urgent threat. No action is required on your part to benefit from this added protection.

We continue to encourage all customers to update any affected applications as soon as possible.

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

12 December 2025, 00:06 UTC

On the 11th of December 2025 CVE-2025-55184 and CVE-2025-55183 were published; unlike React2Shell, these vulnerabilities do not allow for Remote Code Execution.

CVE-2025-55184 facilitates a Denial of Service in which an attacker can force a vulnerable application server into an infinite loop by crafting a specific request.

CVE-2025-55183 facilitates a leak of React Server Function source code. This CVE is likely not a high impact for you unless you are using React Server Components and have sensitive or proprietary information contained in React Server Function source code.

What We Did Immediately

After receiving initial information from Vercel and Meta about CVE-2025-55184 and CVE-2025-55183, Fastly developed and deployed a Virtual Patch for each CVE in blocking mode by default for all Fastly NGWAF customers out of an abundance of caution. If you wish to disable this virtual patch, please refer to our documentation.

We continue to encourage all customers to update any affected applications as soon as possible.

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

12 December 2025, 19:50 UTC

CVE-2025-67779: Complete DoS Fix

The fix addressing CVE-2025-55184 in React Server Components was incomplete and did not fully prevent DoS attacks in all payload types. CVE-2025-67779 addresses those additional payload types.

The Fastly NGWAF already covers this addendum CVE with our existing detection of CVE-2025-55184. We recommend upgrading any React and Next.js apps to patch this issue as well. 

We continue to encourage all customers to update any affected applications as soon as possible.

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.