The Fastly Security Team, in coordination with Vercel, AWS, Next.js, and Meta, are issuing this urgent security advisory regarding a newly discovered, critical vulnerability in the React framework. The Next.js CVE-2025-66478 and React CVE-2025-55182 were published today, the 3rd of December 2025 at 15:54 UTC.

What Happened

On the 1st of December 2025, Vercel notified Fastly of a critical-severity unauthenticated Remote Code Execution (RCE) vulnerability that was responsibly disclosed to Meta, affecting React’s “Server Function" protocol. 

The vulnerability impacts applications utilizing React Server Components (RSC) functionality via the following common frameworks/plugins:

• Next.js versions 15 and 16 (when using App Router)
• React Router RSC preview
• Parcel RSC plugin
• Vite RSC plugin

As of this notification, Fastly does not have knowledge or evidence of this vulnerability being exploited in the wild.

However, some customers running workloads using Fastly Compute, specifically those using the affected React versions and RSC implementations listed above, may be at risk. We encourage all Compute customers to refer to the identification and mitigation steps described in the next section.

What You Can Do 

Next-Gen WAF (NGWAF)

To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-66478 (which also addresses CVE-2025-55182) to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of this CVE. Fastly’s Security Research team developed and tested this content in close collaboration with Vercel and AWS. 

Compute

To mitigate risk for Compute Services, we recommend that you take the following steps: 

Inventory and Identification: Identify all applications within your environment that are using the affected React versions (19.0, 19.1, and 19.2) in conjunction with any of the listed RSC implementations: 

• Next.js 15, 15.1, 15.2, 15.3, 15.4, 15.5, 16 
• App Router
• React Router RSC preview
• Parcel RSC plugin
• Vite RSC plugin. 

One method for identification is to perform a targeted search across your codebase for the relevant package dependencies in the package.json file.  Efficient methods include: 

• GitHub/Code Search: Use tools like GitHub's code search functionality.
• Command-Line Tools: Use grep or similar tools for local/private repositories.

Patching and Deployment: The affected React versions are 19.0, 19.1, and 19.2. Immediately deploy the official, stable patched versions released today, the 3rd of December 2025. The React 19 patch will be published for 19.2. The affected Next.js versions are 15 through 16, and patches will be published for versions 15, 15.1, 15.2, 15.3, 15.4, 15.5, and 16.

What We Did Immediately

Fastly initiated an internal investigation for our core platform infrastructure and has found no indication that we are directly vulnerable as of the date of this advisory. This includes our Compute platform itself; as described earlier, due to Compute’s sandboxed architecture, any apps that are not vulnerable to this bug will be protected even if neighboring apps are malicious or compromised. 

In close partnership with Vercel, AWS, and Meta, our security research team began developing NGWAF content ahead of disclosure to provide protection for our customers as soon as the patch is applied. Fastly is currently investigating additional ways we can detect and block attack traffic as a result of this announced vulnerability. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts. 

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

Following further investigation and evaluation of the React2Shell vulnerability, and in response to widespread exploitation attempts, Fastly is implementing a default block for requests matching the attack signatures within NGWAF.

This action provides our NGWAF customers with enhanced defence against this emerging and urgent threat. No action is required on your part to benefit from this added protection.

We continue to encourage all customers to update any affected applications as soon as possible.

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

On the 11th of December 2025 CVE-2025-55184 and CVE-2025-55183 were published; unlike React2Shell, these vulnerabilities do not allow for Remote Code Execution.

CVE-2025-55184 facilitates a Denial of Service in which an attacker can force a vulnerable application server into an infinite loop by crafting a specific request.

CVE-2025-55183 facilitates a leak of React Server Function source code. This CVE is likely not a high impact for you unless you are using React Server Components and have sensitive or proprietary information contained in React Server Function source code.

What We Did Immediately

After receiving initial information from Vercel and Meta about CVE-2025-55184 and CVE-2025-55183, Fastly developed and deployed a Virtual Patch for each CVE in blocking mode by default for all Fastly NGWAF customers out of an abundance of caution. If you wish to disable this virtual patch, please refer to our documentation.

We continue to encourage all customers to update any affected applications as soon as possible.

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

Fastly Engineers detected a performance impacting event affecting the Fastly Compute Services within our Ashburn (IAD) and Chicago (CHI) Points of Presence (POPs).

All other POPs and services were unaffected. The issue has been resolved and we are monitoring performance closely.

Engineering has confirmed that this incident has been fully restored. Customers may have experienced increased latency and errors affecting Fastly Compute Services from Thursday at 23:49 UTC to Friday at 01:12 UTC.

This incident is resolved.

Affected customers may have experienced impact to varying degrees and to a shorter duration than as set forth above.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-11-14 01:51:47 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We are investigating elevated errors to our Compute services impacting new Compute activation deployments. Currently active Compute deployments remain unaffected by this incident.

All other products and services are unaffected by this incident.

Our engineers are continuing to investigate activations on our Compute services. We have not yet identified the root cause but are actively working on diagnostics. We will provide another update as soon as we have more information.

Our engineers believe they have identified a contributing factor causing the issue impacting the Compute status page component.

We are now developing a fix, and will post a new update once it has been fully implemented and we see signs of recovery.

All other products and services are unaffected by this incident.

The fix has been successfully deployed, and we have observed a recovery of Compute activations. Error rates and latency have returned to nominal levels.

Our team will continue to monitor the platform to ensure stability before we resolve this incident.

We will provide a final update once the incident is fully resolved.

Our engineers have identified an additional contributing factor and are developing an adjusted mitigation strategy to our Compute services. 

All other locations and services are unaffected.

A new fix has been successfully deployed, and we have observed a recovery of Compute activations. 

Our team will continue to monitor the platform to ensure stability before we resolve this incident.

We will provide a final update once the incident is fully resolved.

Engineering has confirmed that activations for our Compute services has been fully restored. Customers may have experienced elevated errors when deploying new activations from 16:13 to 22:06 UTC.

Existing services already deployed were unaffected by this incident.

This incident is resolved. All services are now operating normally.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-11-03 17:57:17 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We are issuing an urgent advisory regarding an incompatibility between Compute services and the newly released Rust version 1.91.

Action Required 

We strongly recommend that you DO NOT upgrade to Rust version 1.91 at this time.

What Happened

We first identified this incompatibility in our testing environment on the 30th of October 2025, and have since confirmed the same Compute crash behavior in our production environment.

• Incompatible Version: Rust 1.91

• Compatible Version: Rust 1.90 and below (Previous Stable Versions)

• Impact: Using Rust 1.91 with Compute may lead to crash behavior, which will impact your traffic on Fastly.

What’s next? What do I have to do?

If you have already upgraded your services to Rust version 1.91, you must immediately downgrade to the previous stable and compatible version, Rust version 1.90, to prevent or resolve any impact to your traffic.

We are actively working on a fix to ensure compatibility with Rust version 1.91 and will provide an update as soon as a fix is available. Thank you for your patience and understanding.

Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.

We are investigating elevated errors and increased latency to our Compute and Next-Gen WAF (NGWAF) services.

All other products and services are unaffected by this incident.

Our engineers have identified the contributing factor and are developing a fix to our Compute, Next-Gen WAF (NGWAF) service.

All other locations and services are unaffected.

Our engineers have identified the primary cause and we've deployed mitigation steps for the issues impacting Compute and our Next-Gen WAF (NGWAF).

We are aware that our status post updates are not reaching dedicated customer chat channels correctly. For the most current and accurate information, please continue to follow the incident directly on our status page, through SMS or Email notifications which remain unaffected by this incident.

We're continuing to work with our incident response teams to fully restore service. We'll provide another update as soon as more information is available. All other locations and services are unaffected.

We can confirm that Compute services have been restored.

Our teams remain actively engaged in mitigating the issue affecting Next-Gen WAF (NGWAF) services. We'll continue to provide updates as soon as new information is available. 

All other locations and services are unaffected. 

We've confirmed that the issues impacting both our Compute and Next-Gen WAF (NGWAF) services have been mitigated. 

We will continue to monitor until we’ve confirmed that customer experience has been fully restored.

This incident has been resolved. On the 18th of August 2025, customers experienced impact to Compute services between 18:50-19:26 UTC and NGWAF services between 18:50-21:59 UTC. During these times, customers may have seen elevated errors and increased latency. Services leveraging Compute, such as certain public APIs (KV Store, Domainr, etc.), were also affected.

Separately, our CX Escalation engineers identified and resolved a vendor-related issue that prevented status updates from reaching dedicated customer chat channels during a portion of the incident. All notification systems are now fully operational.

This incident is fully resolved.

To offer feedback on our status page, click " Give Feedback " 

Status Post, Created Date/Time: 2025-08-18 19:09:15 UTC

Note:  Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We are investigating elevated errors to our Compute service.

All other products and services are unaffected by this incident.

Our engineers have identified the contributing factor and are developing a fix to our Compute service.

All other locations and services are unaffected.

Engineering has confirmed the impact to our Compute service has been mitigated.

Engineering has confirmed that our Compute service has been fully restored. Customers may have experienced errors when they attempted update WASM packages from 17:40 to 20:31 UTC.

This incident is resolved.

Affected customers may have experienced impact to varying degrees and to a shorter duration than as set forth above.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-04-29 20:46:42 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We are investigating elevated errors to our Fastly Compute service.

All other products and services are unaffected by this incident.

Our engineers have identified the contributing factor and are applying a fix to our Fastly Compute service. 

All other locations and services are unaffected.

Engineering has confirmed the impact to Fastly Compute service  has been mitigated.

Our engineers have confirmed that our Compute services have been fully restored. During this incident new version deployments would have been prevented, but not lost. These deployments were delayed, but our customers should begin to see their updates propagate for their services now that this incident is resolved. Our investigation in to this incident shows a possible impact window of 17:08 to 18:05 UTC on the 17th of April 2025.

The duration of impact from this incident will vary across our customers.

Our ability to deliver Network services and all other products and services were unaffected by this incident.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-04-17 17:46:13 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

We are investigating elevated errors to our Secret Store service.

All other products and services are unaffected by this incident.

Our engineers have identified the contributing factor and are applying a fix to our Secret Store service.

All other locations and services are unaffected.

Engineering has confirmed the impact to Secret Store service has been mitigated.

Engineering has confirmed that Secret Store service has been fully restored. Customers may have experienced an increase in decryption errors for secret store from 18:55 to 19:49 UTC.

This incident is resolved.

To offer feedback on our status page, click "Give Feedback" 

Status Post, Created Date/Time: 2025-03-06 19:31:59 UTC 

Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

Customer Messaging

We are investigating elevated errors to our Compute and Next-Gen WAF (NGWAF) services.

All other products and services are unaffected by this incident.

Status Post, Created Date/Time: 2024-10-02 19:56 UTC 

Note: Our Customer Escalation Management team will update the start date and time of this status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.

Our engineers have identified the contributing factor and are applying a fix to our Compute and Next-Gen WAF (NGWAF) services.

All other locations and services are unaffected.

Engineering has confirmed the impact to our Compute and Next-Gen WAF (NGWAF) services has been mitigated.

Engineering has confirmed that Compute and Next-Gen WAF (NGWAF) services have been fully restored. Customers may have experienced errors when deploying Edge WAF services from 14:41 to 19:52 UTC.

This incident is resolved.

To offer feedback on our status page, click "Give Feedback"