Fastly’s Proactive Protection for Critical React RCE CVE-2025-55182 and CVE-2025-66478

While we often hear of nefarious networks of cybercriminals who abuse the internet, we should celebrate the network of passionate providers who link arms to fix the internet in times of crisis. The new React Remote Code Execution (RCE) vulnerability announced today exemplifies the power of this partnership.

On the evening of December 1st, Vercel reached out and informed us of the upcoming disclosure of CVE-2025-55182 and CVE-2025-66478*. After learning about the vulnerability, Fastly immediately kicked off an investigation of our internal systems and worked to develop detection content to provide swift, proactive support to our customers. 

We also helped connect other critical technology partners directly with Vercel to ensure maximum cross-industry preparation ahead of disclosure. We know that for our customers, it’s not just about Fastly’s response. It’s also about being a good partner to others operating in this space and helping spread the right information to all the right places.

We’re grateful for the close collaboration with Vercel, as well as other software ecosystem partners who contributed to this urgent effort, to keep as many organizations as protected as possible. 

In this post, we’ll explain more about the vulnerability, describe how it could impact your business, and offer guidance for mitigating exploitation attempts.

What you need to know now

• React CVE-2025-55182 and Next.js CVE-2025-66478 affects any app using React 19 with React Server Components (RSC) – which thankfully is a relatively small footprint out of all JavaScript apps out there.

• However, we expect attackers to quickly weaponize this vuln; if you’re vulnerable, assume you’ll soon see a flood of attack attempts.

• Fastly’s core platform infrastructure is not vulnerable based on our current investigation. We’ll continue this work as we learn more.

We’ve released a Virtual Patch in our NGWAF to help our customers mitigate exploitation attempts; you can learn more about this on our status page and FSA within our customer portal.

How to gain active protection now

To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-55182 and CVE-2025-66478** to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of this CVE.

Fastly’s Security Research team developed and tested this content in close collaboration with Vercel; we’re grateful for this partnership to ensure our collective customers have access to protection upon disclosure. Our Security Research team will update the Virtual Patch on an ongoing basis as needed; anyone who has opted-in will receive subsequent updates automatically. 

Fastly will continue to investigate additional layers of defense we can offer for our customers to detect and block attack traffic related to this React RCE. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts.

Digging Deeper on the React 19 RCE

React CVE-2025-55182 and Next.js CVE-2025-66478 reflect a prototype pollution bug – but not a traditional one. Most prototype pollution bugs require an additional bug to do anything useful for the attacker, like executing arbitrary code or accessing confidential data.

This React RCE vulnerability is atypical for a prototype pollution bug because the attacker can get what they want in just one step – and that step works, based on our understanding, on anything using React 19 with RSC.

Attackers can make a one-shot, single request to force your React server to run JavaScript code of their choosing. This bug means attackers don’t need to perform recon on your app, nor successfully authenticate. All they need is to know your app uses RSC and send an HTTP request with the precise series of serialized Flight instructions to trigger the bug.

Because CVE-2025-55182 and CVE-2025-66478 don’t require another vulnerability for attackers to gain remote code execution, we believe attackers will find it convenient to weaponize. Simply put, the bug allows attackers to easily add and run arbitrary JavaScript on a vulnerable server. In more technical terms, this bug exploits the Flight library – and specifically its deserialization code – to call the JavaScript function constructor as the server decodes the attacker’s incoming React Server function call.

If you use React 19, we strongly advise you to patch immediately and apply active protections as described below.

Fastly’s Guidance for CVE-2025-55182 & CVE-2025-66478

Upon learning of this vulnerability, we rapidly investigated our core platform infrastructure and did not find evidence that we are directly vulnerable to React CVE-2025-55182 and Next.js CVE-2025-66478. We will continue our investigation efforts as we learn more. 

We do, however, have many customers running JavaScript apps on our platform. Here’s how to determine if you’re using React 19 and might be vulnerable:

• Inventory all apps that use React Server Functions or Next.js, for instance, by using GitHub search; a direct and reliable method is to perform a targeted search across their codebase for the relevant package dependencies within the package.json file

• Keep in mind that even an empty, out-of-the-box Next.js application may be vulnerable; all the attacker requires is the server needed for React Server Components – even if you are not using React Server Functions

In any multi-tenant environment, it’s natural to worry that your proverbial “neighbor” may be vulnerable even if you aren’t, with cascading effects. With Fastly, however, you’re safe from direct contagion effects. Fastly designed its Compute platform from the beginning with the notion of untrusted workloads in mind; it doesn’t matter if your neighbors are malicious or compromised because Fastly’s sandbox architecture is built to protect you. 

Given the nature of the vulnerability, it seems likely that exploitation attempts are a matter of “when,” not “if.” If you need additional time to patch your React or Next.js apps, we urge you to apply active protections immediately – including via Fastly’s NGWAF, as described above – to help minimize the business impact of attacks (and poison cyberattackers’ ROI of weaponizing these vulnerabilities).

What’s next?

We know our customers entrust us with the resilience of their business-critical services, and core to our company's mission is to have your back when surprises like CVE-2025-55182 and CVE-2025-66478 erupt. Our teams are here for you as you navigate ongoing mitigation – whether you’re a longstanding Fastly platform customer or new and in need of immediate protection. Let us know how we can help.

We’re grateful to play our part in this network of cloud providers striving to minimize the impact of cyberattacks and cyberabuse across the world. In the spirit of sustaining internet-wide resilience and ecosystem collaboration, Fastly will proactively monitor our global network for exploitation attempts of this React RCE vulnerability and offer subsequent updates of activity we see, similar to the insights we published during the Log4Shell incident. Stay tuned.

*  I personally refer to them jointly as the “Spicy Unpickling,” to borrow terminology from Python.

**  For immediate protection, we published the Virtual Patch under the CVE number available to us: CVE-2025-66478 from Next.js. We are working on consolidating CVE-2025-66478 into CVE-2025-55182, the CVE from React.