Fastly Engineers detected a performance impacting event affecting our API & Configuration Management services
All data centers and other network services were unaffected. The issue has been resolved and we are monitoring performance closely.
The Fastly Security Team, in coordination with Vercel, AWS, Next.js, and Meta, are issuing this urgent security advisory regarding a newly discovered, critical vulnerability in the React framework. The Next.js CVE-2025-66478 and React CVE-2025-55182 were published today, the 3rd of December 2025 at 15:54 UTC.
What Happened
On the 1st of December 2025, Vercel notified Fastly of a critical-severity unauthenticated Remote Code Execution (RCE) vulnerability that was responsibly disclosed to Meta, affecting React’s “Server Function" protocol.
The vulnerability impacts applications utilizing React Server Components (RSC) functionality via the following common frameworks/plugins:
- Next.js versions 15 and 16 (when using App Router)
- React Router RSC preview
- Parcel RSC plugin
- Vite RSC plugin
As of this notification, Fastly does not have knowledge or evidence of this vulnerability being exploited in the wild.
However, some customers running workloads using Fastly Compute, specifically those using the affected React versions and RSC implementations listed above, may be at risk. We encourage all Compute customers to refer to the identification and mitigation steps described in the next section.
What You Can Do
Next-Gen WAF (NGWAF)
To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-66478 (which also addresses CVE-2025-55182) to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of this CVE. Fastly’s Security Research team developed and tested this content in close collaboration with Vercel and AWS.
Compute
To mitigate risk for Compute Services, we recommend that you take the following steps:
Inventory and Identification: Identify all applications within your environment that are using the affected React versions (19.0, 19.1, and 19.2) in conjunction with any of the listed RSC implementations:
- Next.js 15, 15.1, 15.2, 15.3, 15.4, 15.5, 16
- App Router
- React Router RSC preview
- Parcel RSC plugin
- Vite RSC plugin.
One method for identification is to perform a targeted search across your codebase for the relevant package dependencies in the package.json file. Efficient methods include:
- GitHub/Code Search: Use tools like GitHub's code search functionality.
- Command-Line Tools: Use grep or similar tools for local/private repositories.
Patching and Deployment: The affected React versions are 19.0, 19.1, and 19.2. Immediately deploy the official, stable patched versions released today, the 3rd of December 2025. The React 19 patch will be published for 19.2. The affected Next.js versions are 15 through 16, and patches will be published for versions 15, 15.1, 15.2, 15.3, 15.4, 15.5, and 16.
What We Did Immediately
Fastly initiated an internal investigation for our core platform infrastructure and has found no indication that we are directly vulnerable as of the date of this advisory. This includes our Compute platform itself; as described earlier, due to Compute’s sandboxed architecture, any apps that are not vulnerable to this bug will be protected even if neighboring apps are malicious or compromised.
In close partnership with Vercel, AWS, and Meta, our security research team began developing NGWAF content ahead of disclosure to provide protection for our customers as soon as the patch is applied. Fastly is currently investigating additional ways we can detect and block attack traffic as a result of this announced vulnerability. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
Fastly will be adding capacity at our Hyderabad (HYD) POP. End-users may observe connection resets as traffic is migrated onto new hardware starting on 02 December 2025 at 22:00 UTC.
Our estimated duration is 8h.
When this change is applied, customers may observe additional origin traffic as new cache nodes retrieve content from origin. Please verify that your origin access lists allow the full range of Fastly IP addresses (https://docs.fastly.com/en/guides/accessing-fastlys-ip-ranges). Customers with any questions or concerns should contact Fastly’s Support team at https://support.fastly.com.
The scheduled maintenance has been completed.
To offer feedback on our status page, click
"
Give Feedback
"
We are investigating elevated errors to our Frankfurt (FRA), Lisbon (LIS), London (LCY), Rome (FCO), Chicago (CHI), Detroit (DTW), Paris (PAR) Points of Presence (POPs)
All other products and services are unaffected by this incident.
Our engineers believe they have identified contributing factor causing the issue impacting our Frankfurt (FRA), Lisbon (LIS), London (LCY), Rome (FCO), Chicago (CHI), Detroit (DTW), Paris (PAR) POPs.
We are now developing a fix, and will post a new update once it has been fully implemented and we see signs of recovery.
All other products and services are unaffected by this incident.
Engineering has confirmed the impact to our Frankfurt (FRA), Lisbon (LIS), London (LCY), Rome (FCO), Chicago (CHI), Detroit (DTW), Paris (PAR) POPs has been mitigated.
Engineering has confirmed that our Frankfurt (FRA), Lisbon (LIS), London (LCY), Rome (FCO), Chicago (CHI), Detroit (DTW), Paris (PAR) POPs have been fully restored. Customers may have experienced elevated errors and increased latency from 20:13 to 21:20 UTC.
This incident is resolved.
To offer feedback on our status page, click "Give Feedback"
Status Post, Created Date/Time: 2025-11-29 20:35:29 UTC
Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.
Our Engineers identified a incident that would have impacted new or renewal requests for Certainly TLS certifications to fail shortly after our customers made the request from Sunday 23 November at 19:00 UTC to Monday 24 November at 01:34 UTC.
Requests from customers made during the affected timeframe would have not been successful and would require a follow-up request.
Our ability to deliver network and security services to existing TLS certifications was not impacted during this incident.
As part of Fastly’s global network expansion, we will be adding the Mumbai (QAO) data center to Fastly's Asia-Pacific (APAC) network.
Traffic served by our Mumbai (QAO) data center will be aggregated into our APAC region for billing and stats purposes.
We expect that some traffic currently served by our data centers in neighboring regions will shift to Mumbai (QAO). As such, some customers may see a change in their bills.
Fastly’s standard billing rates are located at https://www.fastly.com/pricing.
The scheduled maintenance has been completed.
To offer feedback on our status page, click
"
Give Feedback
"
Fastly will be performing maintenance on our Kolkata (CCU) POP starting at 21:30 UTC on the 17th of November 2025. End-users may observe traffic being served by alternate POPs within the region throughout the duration of this maintenance. Upon our completion of this maintenance activity, traffic will be restored.
Our estimated duration is 300 minutes.
Customers with any questions or concerns should contact Fastly’s Support team at https://support.fastly.com.
The scheduled maintenance has been completed.
To offer feedback on our status page, click "Give Feedback"
We are investigating elevated errors to our Atlanta (PDK) Point of Presence (POP).
All other products and services are unaffected by this incident.
Our engineers believe they have identified contributing factor causing the issue impacting the Atlanta (PDK) Point of Presence (POP).
We are now developing a fix, and will post a new update once it has been fully implemented and we see signs of recovery.
All other products and services are unaffected by this incident.
Engineering has confirmed the impact to Atlanta (PDK) POP has been mitigated.
This event has been resolved.
To offer feedback on our status page, click "Give Feedback"
Status Post, Created Date/Time: 2025-11-17 02:38:06 UTC
Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.
Fastly will be adding capacity at our Frankfurt (FRA) POP. End-users may observe connection resets as traffic is migrated onto new hardware starting on 14 November 2025 at 21:00 UTC.
Our estimated duration is 2h.
When this change is applied, customers may observe additional origin traffic as new cache nodes retrieve content from origin. Please verify that your origin access lists allow the full range of Fastly IP addresses (https://docs.fastly.com/en/guides/accessing-fastlys-ip-ranges). Customers with any questions or concerns should contact Fastly’s Support team at https://support.fastly.com.
The scheduled maintenance has been completed.
To offer feedback on our status page, click "Give Feedback"
Traffic in Meerut (QAD) has been temporarily rerouted.
All other locations and services are unaffected.