Back to blog

Follow and Subscribe

Fastly’s Proactive Protection for React2Shell, Critical React RCE CVE-2025-55182 and CVE-2025-66478

Kelly Shortridge

Chief Product Officer, Fastly

Security

December 5th Update: 

Fastly is seeing in-the-wild evidence suggesting attackers are relentlessly probing for vulnerable applications in efforts to exploit React2Shell (CVEs 2025-55182 & 2025-66478). After the PoC was publicly announced around 21:04 UTC yesterday (December 4th), Fastly detected what appeared, at the time, to be a sharp escalation in attack activity. 

In the 24 hours since then, the number of requests triggering our NGWAF signals for React2Shell exploded by 2,775%.

Area chart showing 24 hour period spanning 20:00 December 4 through 20:00 December 5. The chart is an updated view since last published chart showing a dramatic 2,775% increase in the volume of React2Shell attempts peaking at 19:00 on December 5.


Fastly's Security Research team has verified that select public PoCs grant attackers the single-step ability to execute commands, exfiltrate data, and gain write access on vulnerable servers. It is urgent that efforts to patch be made immediately. 

For Fastly Customers

Our goal is to provide you with breathing room to patch: 

  1. First, we’ve expanded our Virtual Patch for CVE-2025-55182 to detect scan/probe activity and any attempts to circumvent our NGWAF protections.

  2. Second, the Next-Gen WAF’s built-in "Attack Tooling" signal detects scanners that emerged in the past 24 hours to probe for vulnerable apps. We suggest investigating any requests that triggered this signal, as it may indicate React2Shell activity.

  3. Finally, Fastly Bot Management flagged React2Shell attack tooling as a "Suspected Bad Bot”, offering organizations yet another layer of defense. We suggest incorporating this signal into your rules if you have not already done so. 

The best available fix at this time is to update your apps to the applicable patched versions. We are at the point where it is no longer "if," or possibly even "when," but "how often"? We will continue monitoring global attack activity, investing in additional mitigations for our customers, and sharing intel with the public community.

December 4th update: 

Since publishing this blog, Fastly’s teams have been closely monitoring for attempts to exploit React2Shell (CVEs 2025-55182 & 2025-66478). At approximately 9:04 pm GMT on December 4th, what appears to be a viable PoC was publicly dropped. While we saw few to no requests triggering our NGWAF signals for these vulns until approximately 8:00 pm GMT, triggered signals precipitously spiked after the POC began circulating. The chart below represents data from around 11:00 GMT until 11:00 pm GMT on December 4, 2025; we will continue sharing relevant intelligence as the situation evolves.

Area chart displaying hourly volume of requests triggering for React2Shell signals. The chart shows no signals prior to 7pm GMT, a small spike to 2,112 between 7-9pm GMT, followed by a spike at 10pm GMT, and a massive spike to 36,792 at 11pm GMT.

    

What should you do?

Fastly strongly recommends that you prioritize identifying and updating your React and Next.js apps immediately. For current Next-Gen WAF customers, be sure to enable the associated Virtual Patch for the dual CVEs to offer protection until your underlying systems are fully updated. If you have neither patched nor applied any proactive protection, you should assume your vulnerable systems are potentially compromised. 

We will continue to monitor our global network for React2Shell activity and update the community as the situation evolves.

While we often hear of nefarious networks of cybercriminals who abuse the internet, we should celebrate the network of passionate providers who link arms to fix the internet in times of crisis. The new React Remote Code Execution (RCE) vulnerability announced today exemplifies the power of this partnership.

On the evening of December 1st, Vercel reached out and informed us of the upcoming disclosure of CVE-2025-55182 and CVE-2025-66478*, vulnerabilities now jointly referred to as React2Shell.

After learning about the vulnerability, Fastly immediately kicked off an investigation of our internal systems and worked to develop detection content to provide swift, proactive support to our customers. 

We also helped connect other critical technology partners directly with Vercel to ensure maximum cross-industry preparation ahead of disclosure. We know that for our customers, it’s not just about Fastly’s response. It’s also about being a good partner to others operating in this space and helping spread the right information to all the right places.

We’re grateful for the close collaboration with Vercel, as well as other software ecosystem partners who contributed to this urgent effort, to keep as many organizations as protected as possible. 

In this post, we’ll explain more about the vulnerability, describe how React2Shell could impact your business, and offer guidance for mitigating exploitation attempts.

What you need to know now

  • React CVE-2025-55182 and Next.js CVE-2025-66478 affects any app using React 19 with React Server Components (RSC) – which thankfully is a relatively small footprint out of all JavaScript apps out there.

  • However, we expect attackers to quickly weaponize this vuln; if you’re vulnerable, assume you’ll soon see a flood of attack attempts.

  • Fastly’s core platform infrastructure is not vulnerable to React2Shell based on our current investigation. We’ll continue this work as we learn more.

We’ve released a Virtual Patch for React2Shell in our NGWAF to help our customers mitigate exploitation attempts; you can learn more about this on our status page and FSA within our customer portal.

How to gain active protection now

To mitigate risk for your applications protected by NGWAF, we recommend that you immediately apply the Virtual Patch for CVE-2025-55182 and CVE-2025-66478** to all Edge and On-prem services that may be vulnerable. The detection content within this CVE-specific Templated Rule looks for specific patterns within request headers and POST bodies that may indicate potential exploitation attempts of React2Shell CVEs.

Fastly’s Security Research team developed and tested this content in close collaboration with Vercel; we’re grateful for this partnership to ensure our collective customers have access to protection upon disclosure. Our Security Research team will update the Virtual Patch on an ongoing basis as needed; anyone who has opted-in will receive subsequent updates automatically. 

Fastly will continue to investigate additional layers of defense we can offer for our customers to detect and block attack traffic related to this React2Shell. We will continue to develop and refine relevant NGWAF content as we observe exploitation attempts.

Digging Deeper on the React2Shell

React CVE-2025-55182 and Next.js CVE-2025-66478 reflect a prototype pollution bug – but not a traditional one. Most prototype pollution bugs require an additional bug to do anything useful for the attacker, like executing arbitrary code or accessing confidential data.

This React RCE vulnerability is atypical for a prototype pollution bug because the attacker can get what they want in just one step – and that step works, based on our understanding, on anything using React 19 with RSC.

Attackers can make a one-shot, single request to force your React server to run JavaScript code of their choosing. This bug means attackers don’t need to perform recon on your app, nor successfully authenticate. All they need is to know your app uses RSC and send an HTTP request with the precise series of serialized Flight instructions to trigger the bug.

Because React2Shell doesn’t require another vulnerability for attackers to gain remote code execution, we believe attackers will find it convenient to weaponize. Simply put, the bug allows attackers to easily add and run arbitrary JavaScript on a vulnerable server. In more technical terms, this bug exploits the Flight library – and specifically its deserialization code – to call the JavaScript function constructor as the server decodes the attacker’s incoming React Server function call.

If you use React 19, we strongly advise you to patch immediately and apply active protections as described below.

Fastly’s Guidance for React2Shell – CVE-2025-55182 & CVE-2025-66478

Upon learning of this vulnerability, we rapidly investigated our core platform infrastructure and did not find evidence that we are directly vulnerable to React CVE-2025-55182 and Next.js CVE-2025-66478. We will continue our investigation efforts as we learn more. 

We do, however, have many customers running JavaScript apps on our platform. Here’s how to determine if you’re using React 19 and might be vulnerable to React2Shell:

  • Inventory all apps that use React Server Functions or Next.js, for instance, by using GitHub search; a direct and reliable method is to perform a targeted search across their codebase for the relevant package dependencies within the package.json file

  • Keep in mind that even an empty, out-of-the-box Next.js application may be vulnerable; all the attacker requires is the server needed for React Server Components – even if you are not using React Server Functions

In any multi-tenant environment, it’s natural to worry that your proverbial “neighbor” may be vulnerable even if you aren’t, with cascading effects. With Fastly, however, you’re safe from direct contagion effects. Fastly designed its Compute platform from the beginning with the notion of untrusted workloads in mind; it doesn’t matter if your neighbors are malicious or compromised because Fastly’s sandbox architecture is built to protect you. 

Given the nature of the vulnerability, it seems likely that exploitation attempts are a matter of “when,” not “if.” If you need additional time to patch your React or Next.js apps, we urge you to apply active protections immediately – including via Fastly’s NGWAF, as described above – to help minimize the business impact of attacks (and poison cyberattackers’ ROI of weaponizing these vulnerabilities).

What’s next?

We know our customers entrust us with the resilience of their business-critical services, and core to our company's mission is to have your back when surprises like CVE-2025-55182 and CVE-2025-66478 erupt. Our teams are here for you as you navigate ongoing mitigation of React2Shell – whether you’re a longstanding Fastly platform customer or new and in need of immediate protection. Let us know how we can help.

We’re grateful to play our part in this network of cloud providers striving to minimize the impact of cyberattacks and cyberabuse across the world. In the spirit of sustaining internet-wide resilience and ecosystem collaboration, Fastly will proactively monitor our global network for exploitation attempts of React2Shell vulnerability and offer subsequent updates of activity we see, similar to the insights we published during the Log4Shell incident. Stay tuned.

*  I personally refer to them jointly as the “Spicy Unpickling,” to borrow terminology from Python.

**  For immediate protection, we published the Virtual Patch under the CVE number available to us: CVE-2025-66478 from Next.js. We are working on consolidating CVE-2025-66478 into CVE-2025-55182, the CVE from React.

© Fastly 2025