Protection from CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)
A critical Remote Code Execution (RCE) vulnerability affecting both the React and Next.js frameworks has been assigned two CVEs: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). Fastly has created a single virtual patch labeled CVE-2025-66478 that addresses the vulnerabilities in both frameworks, and it is now available within your account. For more information, check out our service advisory.
To activate it and add protection to your services, follow the steps for your control panel below.
Next-Gen WAF control panel
- Professional or Premier platform
- Essentials platform
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
- From the Rules menu, select Templated Rules.
- In the search bar, enter
CVE-2025-66478and then click View for the CVE-2025-66478 templated rule. - Click Configure and then Add trigger.
- Select the Block requests from an IP immediately if the CVE-2025-66478 signal is observed checkbox.
- Click Update rule.
Fastly control panel
Log in to the Fastly control panel.
Go to Security > Next-Gen WAF > Workspaces.
- Click Virtual Patches.
- In the search bar, enter
CVE-2025-66478and then click the pencil to the right of the CVE-2025-66478 virtual patch. - From the Status menu, select Enabled.
- (Optional) If your workspace is in blocking mode, choose whether to Block requests or Log requests if the CVE-2025-66478 signal is observed.
- Click Update virtual patch.
