The Fastly Security Team, in coordination with Vercel, AWS, Next.js, and Meta, are issuing this urgent security advisory regarding a newly discovered, critical vulnerability in the React framework. The Next.js CVE-2025-66478 and React CVE-2025-55182 were published today, the 3rd of December 2025 at 15:54 UTC.

What Happened

On the 1st of December 2025, Vercel notified Fastly of a critical-severity unauthenticated Remote Code Execution (RCE) vulnerability that was responsibly disclosed to Meta, affecting React’s “Server Function" protocol. 

The vulnerability impacts applications utilizing React Server Components (RSC) functionality via the following common frameworks/plugins:

• Next.js versions 15 and 16 (when using App Router)
• React Router RSC preview
• Parcel RSC plugin
• Vite RSC plugin

As of this notification, Fastly does not have knowledge or evidence of this vulnerability being exploited in the wild.

However, some customers running workloads using Fastly Compute, specifically those using the affected React versions and RSC implementations listed above, may be at risk. We encourage all Compute customers to refer to the identification and mitigation steps described in the next section.

What You Can Do 

Next-Gen WAF (NGWAF)

To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-66478 (which also addresses CVE-2025-55182) to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of this CVE. Fastly’s Security Research team developed and tested this content in close collaboration with Vercel and AWS. 

Compute

To mitigate risk for Compute Services, we recommend that you take the following steps: 

Inventory and Identification: Identify all applications within your environment that are using the affected React versions (19.0, 19.1, and 19.2) in conjunction with any of the listed RSC implementations: 

• Next.js 15, 15.1, 15.2, 15.3, 15.4, 15.5, 16 
• App Router
• React Router RSC preview
• Parcel RSC plugin
• Vite RSC plugin. 

One method for identification is to perform a targeted search across your codebase for the relevant package dependencies in the package.json file.  Efficient methods include: 

• GitHub/Code Search: Use tools like GitHub's code search functionality.
• Command-Line Tools: Use grep or similar tools for local/private repositories.

Patching and Deployment: The affected React versions are 19.0, 19.1, and 19.2. Immediately deploy the official, stable patched versions released today, the 3rd of December 2025. The React 19 patch will be published for 19.2. The affected Next.js versions are 15 through 16, and patches will be published for versions 15, 15.1, 15.2, 15.3, 15.4, 15.5, and 16.

What We Did Immediately

Fastly initiated an internal investigation for our core platform infrastructure and has found no indication that we are directly vulnerable as of the date of this advisory. This includes our Compute platform itself; as described earlier, due to Compute’s sandboxed architecture, any apps that are not vulnerable to this bug will be protected even if neighboring apps are malicious or compromised. 

In close partnership with Vercel, AWS, and Meta, our security research team began developing NGWAF content ahead of disclosure to provide protection for our customers as soon as the patch is applied. Fastly is currently investigating additional ways we can detect and block attack traffic as a result of this announced vulnerability. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts. 

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

Following further investigation and evaluation of the React2Shell vulnerability, and in response to widespread exploitation attempts, Fastly is implementing a default block for requests matching the attack signatures within NGWAF.

This action provides our NGWAF customers with enhanced defence against this emerging and urgent threat. No action is required on your part to benefit from this added protection.

We continue to encourage all customers to update any affected applications as soon as possible.

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

We're investigating possible performance impact affecting the Next-Gen WAF (NGWAF) for Edge WAF deployments.

All other locations and services are unaffected.

Our engineers have identified the contributing factor and are developing a fix to our Next-Gen WAF (NGWAF) for Edge WAF deployments.

All other locations and services are unaffected.

Engineering has confirmed the impact to Next-Gen WAF (NGWAF) for Edge WAF deployments has been mitigated.

Engineering has confirmed that Next-Gen WAF (NGWAF) for Edge WAF deployments has been fully restored. Customers may have experienced issues with performing a deployment from 10:19 UTC on the 29th of August, 2025 to 16:09 UTC on the 2nd of September, 2025.

This incident is resolved.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-09-02 15:57:11 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We are investigating elevated errors and increased latency to our Compute and Next-Gen WAF (NGWAF) services.

All other products and services are unaffected by this incident.

Our engineers have identified the contributing factor and are developing a fix to our Compute, Next-Gen WAF (NGWAF) service.

All other locations and services are unaffected.

Our engineers have identified the primary cause and we've deployed mitigation steps for the issues impacting Compute and our Next-Gen WAF (NGWAF).

We are aware that our status post updates are not reaching dedicated customer chat channels correctly. For the most current and accurate information, please continue to follow the incident directly on our status page, through SMS or Email notifications which remain unaffected by this incident.

We're continuing to work with our incident response teams to fully restore service. We'll provide another update as soon as more information is available. All other locations and services are unaffected.

We can confirm that Compute services have been restored.

Our teams remain actively engaged in mitigating the issue affecting Next-Gen WAF (NGWAF) services. We'll continue to provide updates as soon as new information is available. 

All other locations and services are unaffected. 

We've confirmed that the issues impacting both our Compute and Next-Gen WAF (NGWAF) services have been mitigated. 

We will continue to monitor until we’ve confirmed that customer experience has been fully restored.

This incident has been resolved. On the 18th of August 2025, customers experienced impact to Compute services between 18:50-19:26 UTC and NGWAF services between 18:50-21:59 UTC. During these times, customers may have seen elevated errors and increased latency. Services leveraging Compute, such as certain public APIs (KV Store, Domainr, etc.), were also affected.

Separately, our CX Escalation engineers identified and resolved a vendor-related issue that prevented status updates from reaching dedicated customer chat channels during a portion of the incident. All notification systems are now fully operational.

This incident is fully resolved.

To offer feedback on our status page, click " Give Feedback " 

Status Post, Created Date/Time: 2025-08-18 19:09:15 UTC

Note:  Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We're currently investigating performance issues with our logging data for customers that utilize the Edge WAF service.

Our engineers have identified the contributing factor and are developing a fix to our logging within the Edge WAF service .

All other locations and services are unaffected.

Our engineers have identified a contributing factor and are continuing to implement a mitigation strategy to logging within the Edge WAF service.

All other locations and services are unaffected.

Engineering has deployed a fix and have confirmed a gradual recovery to logging within the Edge WAF service. We will continue to monitor until we’ve confirmed that customer experience has been fully restored.

Engineering has confirmed that logging within the Edge WAF service has been fully restored. Customers may have experienced loss of data from 21:45 UTC on August 14th, 2025, to 02:08 UTC on August 15th, 2025.

This incident is resolved.

Affected customers may have experienced impact to varying degrees and to a shorter duration than as set forth above.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-08-14 23:07:14 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

On the 18th of July, 2025, Fastly was made aware of a new HTTP/1.1 desync attack vector. Our security response engineers immediately initiated a thorough internal investigation, which determined that the Fastly platform is not vulnerable to this attack vector.

As part of our ongoing branding unification efforts, we are updating the sender domain for all email communications related to Signal Sciences.

Effective the 28th of July 2025, emails originating from support@signalsciences.com will now be sent from no-reply@fastly.com.  All official communications will now come directly from an @fastly domain.

This change is purely an update to our email infrastructure to align with our unified brand identity and does not impact the functionality or delivery of your Signal Sciences services. Your service experience, data, and access remain unchanged.

Please ensure your email filters and allow lists are updated to reflect this change to avoid any disruption in receiving important notifications and updates from Signal Sciences services.

If you have any questions or require further clarification, please do not hesitate to contact our support team.

We are investigating elevated errors to our Next-Gen WAF (NGWAF) data. 

All other products and services are unaffected by this incident.

Our engineers have identified the contributing factor and are developing a fix to our Next-Gen WAF (NGWAF) data. 

All other locations and services are unaffected.

Engineering has confirmed the impact to our Next-Gen WAF (NGWAF) data has been mitigated.

Engineering has confirmed that Next-Gen WAF (NGWAF) data services  have returned to pre-incident operational levels. Impacted customers will have experienced a loss in data  from 16:40  to 19:20  UTC.

This incident is resolved.

To offer feedback on our status page, click " Give Feedback " 

Status Post, Created Date/Time: 2025-07-21 18:33:47 UTC

Note:  Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We are investigating elevated errors to our Next-Gen WAF (NGWAF) service.

All other products and services are unaffected by this incident.

Further research shows that new rules deployed to customer NGWAF services may not be functioning as intended. Our engineers are investigating into this degraded performance of our NGWAF product. 

Investigations show that existing rules deployed to customer NGWAF services, as well as our ability to deliver Network services and all other products are unaffected by this incident.

Our engineers have identified the contributing factor and are developing a fix to new rule deploys to customer NGWAF services.

All other products and services are unaffected by this incident.

Engineering has confirmed the impact to Next-Gen WAF (NGWAF) service has been mitigated.

Engineering has confirmed that Next-Gen WAF (NGWAF) service has been fully restored. Customers may have experienced a delay in new rules deployed from 13:20 to 19:10 UTC.

This incident is resolved.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-04-23 18:49:29 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We're investigating possible performance impact affecting the Next-Gen WAF (NGWAF) service.

Our engineers have identified the contributing factor and are applying a fix to our Next-Gen WAF (NGWAF) services.

Our engineers have identified the potential contributing factor and are continuing to apply the mitigation strategy to our Next-Gen WAF (NGWAF) service.

A correction has been deployed to the NGWAF platform by Engineering, resulting in a phased recovery for affected customers. Deployment monitoring will persist until full service restoration is observed for all impacted services.

This incident caused disruption to customers utilizing NGWAF services; all other products and services remained operational.

Customers experiencing ongoing issues are encouraged to contact their assigned account teams or the support team through dedicated support chat or email at support@fastly.com if a case is not already in progress.

Engineering has confirmed that our Next-Gen WAF (NGWAF) service has been fully restored. Customers utilizing Next-Gen WAF (NGWAF) services may have experienced elevated 5xx and 4xx errors from the 8th of April at 20:03 to the 9th of April at 01:07 UTC.

This incident is resolved.

Affected customers may have experienced impact to varying degrees and to a shorter duration than as set forth above.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-04-08 20:50:17 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

Fastly Engineers detected a performance impacting event affecting the Next-Gen WAF (NGWAF) service.

All other data centers and services were unaffected. The issue has been resolved and we are monitoring performance closely.