Customer Services
The Fastly Security Team, in coordination with Vercel, AWS, Next.js, and Meta, are issuing this urgent security advisory regarding a newly discovered, critical vulnerability in the React framework. The Next.js CVE-2025-66478 and React CVE-2025-55182 were published today, the 3rd of December 2025 at 15:54 UTC.
What Happened
On the 1st of December 2025, Vercel notified Fastly of a critical-severity unauthenticated Remote Code Execution (RCE) vulnerability that was responsibly disclosed to Meta, affecting React’s “Server Function" protocol.
The vulnerability impacts applications utilizing React Server Components (RSC) functionality via the following common frameworks/plugins:
- Next.js versions 15 and 16 (when using App Router)
- React Router RSC preview
- Parcel RSC plugin
- Vite RSC plugin
As of this notification, Fastly does not have knowledge or evidence of this vulnerability being exploited in the wild.
However, some customers running workloads using Fastly Compute, specifically those using the affected React versions and RSC implementations listed above, may be at risk. We encourage all Compute customers to refer to the identification and mitigation steps described in the next section.
What You Can Do
Next-Gen WAF (NGWAF)
To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-66478 (which also addresses CVE-2025-55182) to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of this CVE. Fastly’s Security Research team developed and tested this content in close collaboration with Vercel and AWS.
Compute
To mitigate risk for Compute Services, we recommend that you take the following steps:
Inventory and Identification: Identify all applications within your environment that are using the affected React versions (19.0, 19.1, and 19.2) in conjunction with any of the listed RSC implementations:
- Next.js 15, 15.1, 15.2, 15.3, 15.4, 15.5, 16
- App Router
- React Router RSC preview
- Parcel RSC plugin
- Vite RSC plugin.
One method for identification is to perform a targeted search across your codebase for the relevant package dependencies in the package.json file. Efficient methods include:
- GitHub/Code Search: Use tools like GitHub's code search functionality.
- Command-Line Tools: Use grep or similar tools for local/private repositories.
Patching and Deployment: The affected React versions are 19.0, 19.1, and 19.2. Immediately deploy the official, stable patched versions released today, the 3rd of December 2025. The React 19 patch will be published for 19.2. The affected Next.js versions are 15 through 16, and patches will be published for versions 15, 15.1, 15.2, 15.3, 15.4, 15.5, and 16.
What We Did Immediately
Fastly initiated an internal investigation for our core platform infrastructure and has found no indication that we are directly vulnerable as of the date of this advisory. This includes our Compute platform itself; as described earlier, due to Compute’s sandboxed architecture, any apps that are not vulnerable to this bug will be protected even if neighboring apps are malicious or compromised.
In close partnership with Vercel, AWS, and Meta, our security research team began developing NGWAF content ahead of disclosure to provide protection for our customers as soon as the patch is applied. Fastly is currently investigating additional ways we can detect and block attack traffic as a result of this announced vulnerability. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
Following further investigation and evaluation of the React2Shell vulnerability, and in response to widespread exploitation attempts, Fastly is implementing a default block for requests matching the attack signatures within NGWAF.
This action provides our NGWAF customers with enhanced defence against this emerging and urgent threat. No action is required on your part to benefit from this added protection.
We continue to encourage all customers to update any affected applications as soon as possible.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
On the 11th of December 2025 CVE-2025-55184 and CVE-2025-55183 were published; unlike React2Shell, these vulnerabilities do not allow for Remote Code Execution.
CVE-2025-55184 facilitates a Denial of Service in which an attacker can force a vulnerable application server into an infinite loop by crafting a specific request.
CVE-2025-55183 facilitates a leak of React Server Function source code. This CVE is likely not a high impact for you unless you are using React Server Components and have sensitive or proprietary information contained in React Server Function source code.
What We Did Immediately
After receiving initial information from Vercel and Meta about CVE-2025-55184 and CVE-2025-55183, Fastly developed and deployed a Virtual Patch for each CVE in blocking mode by default for all Fastly NGWAF customers out of an abundance of caution. If you wish to disable this virtual patch, please refer to our documentation.
We continue to encourage all customers to update any affected applications as soon as possible.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
We are seeing a possible error or delay in message propagation within our Support Chat Systems, caused by a third party service provider issue. The provider has shared information on their status page.
Our ability to provide support through support@fastly.com is unaffected by this incident, if you are experiencing delayed responses in your dedicated support chat channel, please switch to email methods to ensure prompt response by our support team. Network and Security products remain unaffected by this third party provider event, and services continue to be delivered to our customers.
We will continue to monitor the providers status page and report once Support Chat Systems are no longer at risk of impact.
We are seeing a possible error or delay in message propagation within our Support Chat Systems, caused by a third party service provider issue. The provider has shared information on their status page.
Our ability to provide support through support@fastly.com is unaffected by this incident, if you are experiencing delayed responses in your dedicated support chat channel, please switch to email methods to ensure prompt response by our support team. Network and Security products remain unaffected by this third party provider event, and services continue to be delivered to our customers.
We will continue to monitor the providers status page and report once Support Chat Systems are no longer at risk of impact.
Our third party service provider has confirmed that mitigations have been deployed and they are monitoring for any further impact to Support Chat Services.
We will continue to monitor until they have confirmed all services have been fully restored.
Our ability to deliver all other services remains unaffected by the third party providers incident.
We are issuing an urgent advisory regarding an incompatibility between Compute services and the newly released Rust version 1.91.
Action Required
We strongly recommend that you DO NOT upgrade to Rust version 1.91 at this time.
What Happened
We first identified this incompatibility in our testing environment on the 30th of October 2025, and have since confirmed the same Compute crash behavior in our production environment.
Incompatible Version: Rust 1.91
Compatible Version: Rust 1.90 and below (Previous Stable Versions)
Impact: Using Rust 1.91 with Compute may lead to crash behavior, which will impact your traffic on Fastly.
What’s next? What do I have to do?
If you have already upgraded your services to Rust version 1.91, you must immediately downgrade to the previous stable and compatible version, Rust version 1.90, to prevent or resolve any impact to your traffic.
We are actively working on a fix to ensure compatibility with Rust version 1.91 and will provide an update as soon as a fix is available. Thank you for your patience and understanding.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
The Fastly status page https://fastlystatus.com is currently unavailable. Our vendor has advised that the issue is related to an ongoing incident with Azure Portal and they are working to fully restore https://fastlystatus.com . As a temporary workaround our vendor has shifted our status page to https://fastly.status.page .
All other Fastly services are unaffected by this event.
We are investigating an elevated error rate within our support ticketing systems. Customers may experience failed support case functions when attempting to generate a support case from Support Chat systems. We ask that customers email Support teams at support@fastly.com to ensure no delays.
Our network availability and all other services are unaffected.
Status Post, Created Date/Time: 2025-10-20 08:21:47 UTC
Note: Our Customer Escalation Management team will update the start date and time of this status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.
Our engineers believe they have identified contributing factor causing the issue impacting the Support Ticketing System status page component.
We will post a new update once it has been fully implemented and we see signs of recovery.
All other products and services are unaffected by this incident.
Engineering has confirmed the impact to our Support Ticketing System has been mitigated.
Due to the recent implementation of a new billing system, you may experience a delay in receiving your invoice for September 2025. We are committed to prompt and accurate billing and apologize for any inconvenience this may cause.
What’s next? What do I have to do?
Fastly's support team will contact affected customers with more details during North America business hours on Monday, the 6th of October 2025.
On the 6th of October, if you have not yet received your invoice and have not been contacted by us through the notifications center in the Fastly User Interface (UI), please email our Billing Support team. We will work with you to resolve any issues.
For other questions or concerns, please contact our Support team or reach out to your designated account team members.
Starting on the 15th of September 2025, Fastly will strengthen how password expiration is enforced for organizations with PCI password requirements enabled. Users
with expired passwords
will be prompted to set a new password at their next login.
What’s Changing?
This change in our system's behavior ensures that all customers who have enabled PCI (Payment Card Industry) password requirements will experience consistent and robust enforcement of password expiration policies. This update is crucial for maintaining the highest security standards and compliance with industry regulations.
By aligning user login behavior with established security best practices and compliance standards, we are taking a proactive step to safeguard sensitive data and enhance overall system integrity. This consistency in password expiration helps to mitigate risks associated with stagnant or compromised credentials, thereby protecting both our customers and their valuable information
What’s next? What do I have to do?
Users with expired passwords will need to perform a password reset when logging in.
Contact Information
Customers with any questions or concerns may engage with our Support team by emailing support@fastly.com .Fastly was impacted by the recent security incident involving Salesloft's Drift application. We have investigated and notified all Fastly customers affected. This incident was isolated to our Salesforce instance and did not impact any Fastly services, infrastructure, or products. This post includes a summary of our response and the customer outreach we’ve performed.
What Happened
Between August 13 and August 18, 2025, a threat actor (tracked as UNC6395 by Google Mandiant) exploited stolen OAuth tokens tied to the Drift integration to gain unauthorized access to Salesforce instances across many companies, including Fastly. The incident was contained on August 20, 2025 when Salesloft and Salesforce disabled the integration. We immediately began our own investigation, confirming that the malicious activity was isolated to our Salesforce instance and the data accessed was limited to case subjects, descriptions, and contact details.
What We Did Immediately
After confirming containment, our security team took the following actions:
Reviewed Salesforce audit logs for anomalous activity.
Analyzed and removed other active Drift integrations out of an abundance of caution, confirming only the Salesforce integration was impacted.
Reset OAUTH sessions by re-authenticating the integration account.
Coordinated with Salesforce to verify containment and extract details not contained in audit logs.
Analyzed query activities by the threat actor to identify the compromised data.
What You Can Do
We recommend customers rotate any credentials previously shared with Fastly in a support case. Additionally, to protect against potential follow-up attacks, please be cautious of unsolicited emails, calls, or requests for sensitive information. Remember, Fastly will never ask for your passwords or credentials.
Customer Notifications
We have distributed Fastly Service Advisories to impacted parties as of September 4. Fastly customers with superuser access on impacted accounts should have received an email notification of a new message in their Fastly control panel Message portal or a direct email from support@fastly.com. All other users on the impacted accounts will have received a Fastly Service Advisory to the Message portal within their control panel, and can view it upon their next log-in.
Customers who have not received a Service Advisory were not identified in our investigation as being impacted. If you have questions, please email support@fastly.com.
Due to the recent implementation of a new billing system, you may experience a delay in receiving your invoice for August 2025. We are committed to prompt and accurate billing and apologize for any inconvenience this may cause.
What’s next? What do I have to do?
Fastly's support team will contact affected customers with more details during North America business hours on Thursday, 4th of September 2025.
On the 5th of September, if you have not yet received your invoice and have not been contacted by us through the notifications center in the Fastly User Interface (UI), please email us at billing@fastly.com. We will work with you to resolve any issues.
For other questions or concerns, please contact our Support team at https://support.fastly.com or reach out to your designated account team members.
To offer feedback on our status page, click "Give Feedback"