General Updates
The Fastly Security Team, in coordination with Vercel, AWS, Next.js, and Meta, are issuing this urgent security advisory regarding a newly discovered, critical vulnerability in the React framework. The Next.js CVE-2025-66478 and React CVE-2025-55182 were published today, the 3rd of December 2025 at 15:54 UTC.
What Happened
On the 1st of December 2025, Vercel notified Fastly of a critical-severity unauthenticated Remote Code Execution (RCE) vulnerability that was responsibly disclosed to Meta, affecting React’s “Server Function" protocol.
The vulnerability impacts applications utilizing React Server Components (RSC) functionality via the following common frameworks/plugins:
- Next.js versions 15 and 16 (when using App Router)
- React Router RSC preview
- Parcel RSC plugin
- Vite RSC plugin
As of this notification, Fastly does not have knowledge or evidence of this vulnerability being exploited in the wild.
However, some customers running workloads using Fastly Compute, specifically those using the affected React versions and RSC implementations listed above, may be at risk. We encourage all Compute customers to refer to the identification and mitigation steps described in the next section.
What You Can Do
Next-Gen WAF (NGWAF)
To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-66478 (which also addresses CVE-2025-55182) to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of this CVE. Fastly’s Security Research team developed and tested this content in close collaboration with Vercel and AWS.
Compute
To mitigate risk for Compute Services, we recommend that you take the following steps:
Inventory and Identification: Identify all applications within your environment that are using the affected React versions (19.0, 19.1, and 19.2) in conjunction with any of the listed RSC implementations:
- Next.js 15, 15.1, 15.2, 15.3, 15.4, 15.5, 16
- App Router
- React Router RSC preview
- Parcel RSC plugin
- Vite RSC plugin.
One method for identification is to perform a targeted search across your codebase for the relevant package dependencies in the package.json file. Efficient methods include:
- GitHub/Code Search: Use tools like GitHub's code search functionality.
- Command-Line Tools: Use grep or similar tools for local/private repositories.
Patching and Deployment: The affected React versions are 19.0, 19.1, and 19.2. Immediately deploy the official, stable patched versions released today, the 3rd of December 2025. The React 19 patch will be published for 19.2. The affected Next.js versions are 15 through 16, and patches will be published for versions 15, 15.1, 15.2, 15.3, 15.4, 15.5, and 16.
What We Did Immediately
Fastly initiated an internal investigation for our core platform infrastructure and has found no indication that we are directly vulnerable as of the date of this advisory. This includes our Compute platform itself; as described earlier, due to Compute’s sandboxed architecture, any apps that are not vulnerable to this bug will be protected even if neighboring apps are malicious or compromised.
In close partnership with Vercel, AWS, and Meta, our security research team began developing NGWAF content ahead of disclosure to provide protection for our customers as soon as the patch is applied. Fastly is currently investigating additional ways we can detect and block attack traffic as a result of this announced vulnerability. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
Following further investigation and evaluation of the React2Shell vulnerability, and in response to widespread exploitation attempts, Fastly is implementing a default block for requests matching the attack signatures within NGWAF.
This action provides our NGWAF customers with enhanced defence against this emerging and urgent threat. No action is required on your part to benefit from this added protection.
We continue to encourage all customers to update any affected applications as soon as possible.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
We are issuing an urgent advisory regarding an incompatibility between Compute services and the newly released Rust version 1.91.
Action Required
We strongly recommend that you DO NOT upgrade to Rust version 1.91 at this time.
What Happened
We first identified this incompatibility in our testing environment on the 30th of October 2025, and have since confirmed the same Compute crash behavior in our production environment.
Incompatible Version: Rust 1.91
Compatible Version: Rust 1.90 and below (Previous Stable Versions)
Impact: Using Rust 1.91 with Compute may lead to crash behavior, which will impact your traffic on Fastly.
What’s next? What do I have to do?
If you have already upgraded your services to Rust version 1.91, you must immediately downgrade to the previous stable and compatible version, Rust version 1.90, to prevent or resolve any impact to your traffic.
We are actively working on a fix to ensure compatibility with Rust version 1.91 and will provide an update as soon as a fix is available. Thank you for your patience and understanding.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
The Fastly status page https://fastlystatus.com is currently unavailable. Our vendor has advised that the issue is related to an ongoing incident with Azure Portal and they are working to fully restore https://fastlystatus.com . As a temporary workaround our vendor has shifted our status page to https://fastly.status.page .
All other Fastly services are unaffected by this event.
Due to the recent implementation of a new billing system, you may experience a delay in receiving your invoice for September 2025. We are committed to prompt and accurate billing and apologize for any inconvenience this may cause.
What’s next? What do I have to do?
Fastly's support team will contact affected customers with more details during North America business hours on Monday, the 6th of October 2025.
On the 6th of October, if you have not yet received your invoice and have not been contacted by us through the notifications center in the Fastly User Interface (UI), please email our Billing Support team. We will work with you to resolve any issues.
For other questions or concerns, please contact our Support team or reach out to your designated account team members.
Starting on the 15th of September 2025, Fastly will strengthen how password expiration is enforced for organizations with PCI password requirements enabled. Users
with expired passwords
will be prompted to set a new password at their next login.
What’s Changing?
This change in our system's behavior ensures that all customers who have enabled PCI (Payment Card Industry) password requirements will experience consistent and robust enforcement of password expiration policies. This update is crucial for maintaining the highest security standards and compliance with industry regulations.
By aligning user login behavior with established security best practices and compliance standards, we are taking a proactive step to safeguard sensitive data and enhance overall system integrity. This consistency in password expiration helps to mitigate risks associated with stagnant or compromised credentials, thereby protecting both our customers and their valuable information
What’s next? What do I have to do?
Users with expired passwords will need to perform a password reset when logging in.
Contact Information
Customers with any questions or concerns may engage with our Support team by emailing support@fastly.com .Fastly was impacted by the recent security incident involving Salesloft's Drift application. We have investigated and notified all Fastly customers affected. This incident was isolated to our Salesforce instance and did not impact any Fastly services, infrastructure, or products. This post includes a summary of our response and the customer outreach we’ve performed.
What Happened
Between August 13 and August 18, 2025, a threat actor (tracked as UNC6395 by Google Mandiant) exploited stolen OAuth tokens tied to the Drift integration to gain unauthorized access to Salesforce instances across many companies, including Fastly. The incident was contained on August 20, 2025 when Salesloft and Salesforce disabled the integration. We immediately began our own investigation, confirming that the malicious activity was isolated to our Salesforce instance and the data accessed was limited to case subjects, descriptions, and contact details.
What We Did Immediately
After confirming containment, our security team took the following actions:
Reviewed Salesforce audit logs for anomalous activity.
Analyzed and removed other active Drift integrations out of an abundance of caution, confirming only the Salesforce integration was impacted.
Reset OAUTH sessions by re-authenticating the integration account.
Coordinated with Salesforce to verify containment and extract details not contained in audit logs.
Analyzed query activities by the threat actor to identify the compromised data.
What You Can Do
We recommend customers rotate any credentials previously shared with Fastly in a support case. Additionally, to protect against potential follow-up attacks, please be cautious of unsolicited emails, calls, or requests for sensitive information. Remember, Fastly will never ask for your passwords or credentials.
Customer Notifications
We have distributed Fastly Service Advisories to impacted parties as of September 4. Fastly customers with superuser access on impacted accounts should have received an email notification of a new message in their Fastly control panel Message portal or a direct email from support@fastly.com. All other users on the impacted accounts will have received a Fastly Service Advisory to the Message portal within their control panel, and can view it upon their next log-in.
Customers who have not received a Service Advisory were not identified in our investigation as being impacted. If you have questions, please email support@fastly.com.
Due to the recent implementation of a new billing system, you may experience a delay in receiving your invoice for August 2025. We are committed to prompt and accurate billing and apologize for any inconvenience this may cause.
What’s next? What do I have to do?
Fastly's support team will contact affected customers with more details during North America business hours on Thursday, 4th of September 2025.
On the 5th of September, if you have not yet received your invoice and have not been contacted by us through the notifications center in the Fastly User Interface (UI), please email us at billing@fastly.com. We will work with you to resolve any issues.
For other questions or concerns, please contact our Support team at https://support.fastly.com or reach out to your designated account team members.
To offer feedback on our status page, click "Give Feedback"
On the 26th of August 2025, we released an update to the VCL Editor in the Fastly Control Panel. This release unified Snippets, Custom VCL, and Complete VCL into a single, modernized view.
What has Changed
This update introduced several improvements:
Modernized Code Editor: Enjoy a smoother coding experience with syntax highlighting, error checking, and code folding.
Full-Screen Mode: Expand the editor to easily read, edit, and review complex VCL.
Unified VCL View: Manage VCL Snippets, Custom VCL, and Complete VCL in one place to simplify your workflow.
Editable Dynamic Snippets: Add and edit Dynamic Snippets directly in the UI.
Boilerplate Insertion: Insert boilerplate code directly from the Custom VCL view.
Auto-Generated Code: Reduce manual effort by automatically generating standard VCL functions and variables.
To learn more about these changes, please see our documentation: About VCL snippets and Using VCL snippets.
What’s next? What do I have to do?
No action is required.
Contact Information
If you have any questions, please contact our Support team at https://support.fastly.com or reach out to your account team.As part of Fastly's ongoing global network expansion, we are announcing the addition of our new data centers in Madurai (IXM) and Delhi (QAG).
These facilities will initially launch as a limited availability deployment on the 19th of August, 2025, meaning not all customer traffic will be routed through this new location during this initial phase.
Our estimated duration is 4 hours, starting at 18:00 UTC on Aug-19th.
When this change is applied, customers may observe additional origin traffic as new cache nodes retrieve content from origin. Please verify that your origin access lists allow the full range of Fastly IP addresses [Public IP List | Fastly Documentation].
Customers with any questions or concerns may engage with our Support team through [Fastly Support] or by contacting your designated account management team members.
We're happy to announce that the Madurai (IXM) and Delhi (QAG) data centers have been successfully moved from its initial limited availability phase to general availability. As of September 25, 2025, all customer traffic will now be routed through this location.
To offer feedback on our status page, click "
Give Feedback
"
On the 13th of May 2025, Fastly received a pre-release report detailing a distributed denial of service (DDoS) vulnerability called MadeYouReset (CVE-2025-8671). Fastly implemented a fix for this vulnerability in release 25.17 of Fastly’s internal fork of H2O. The fix was deployed and fully implemented across Fastly on the 2nd of June 2025.
Vulnerability Details
The MadeYouReset vulnerability (CVE-2025-8671) was publicly disclosed on the 13th of August, 2025. This vulnerability exploits the same HTTP/2 protocol implementation flaw that was used in Rapid Reset (CVE-2023-44487). The MadeYouReset vulnerability existed in the upstream H2O repository and also in Fastly’s forked version of H2O. In addition to ensuring our forked version of H2O was patched, Fastly Engineering coordinated with the original vulnerability researcher to proactively patch the upstream repository and resolved the core issue. This ensured the fix is available across all environments that rely on the open source implementation of H2O.
For more information about this vulnerability and its upstream fix in H2O, please see:
What’s next? What do I have to do?
No customer action is required. The fix has been applied across Fastly.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.