Origin Connect
Fastly Engineers detected a performance impacting event affecting our certificate authorization system for Fastly-managed certificates.
All other data centers and services were unaffected. The issue has been resolved and we are monitoring performance closely.
On the 18th of July, 2025, Fastly was made aware of a new HTTP/1.1 desync attack vector. Our security response engineers immediately initiated a thorough internal investigation, which determined that the Fastly platform is
not vulnerable
to this attack vector.
On the 21st of July, to validate our findings, we collaborated with the third-party researcher who discovered the attack vector. In this process, we confirmed that no Fastly-hosted endpoints were flagged as vulnerable during their research. The researcher noted that "Fastly seems to be relatively robust against desync attacks."
For additional due diligence, our Engineering teams also reviewed a preview of the full whitepaper on 28th of July, which further confirmed our conclusions.
You can read more about their research here: [ The Desync Endgame Begins by James Kettle from PortSwigger Research ]