Cloudflare’s global network suffered a brief but widespread disruption this morning, lasting approximately 25 minutes, due to an internal change in its Web Application Firewall (WAF) designed to counter a critical vulnerability in React Server Components.
The incident, which began around 8:47 GMT, affected the Cloudflare Dashboard, APIs, and proxied services, causing 500 Internal Server Errors for countless websites worldwide, including high-profile platforms like Coinbase, Claude AI by Anthropic, Zerodha, and Groww.
Cloudflare’s status page confirmed the outage stemmed from modifications to how the WAF parses incoming requests, implemented urgently to mitigate CVE-2025-55182, a maximum-severity (CVSS 10.0) remote code execution (RCE) flaw dubbed “React2Shell.”
Disclosed on December 3, this vulnerability exploits insecure deserialization in React’s Server Components “Flight” protocol, enabling unauthenticated attackers to execute arbitrary code via malicious HTTP requests to server function endpoints.
Affected versions include React 19.0 through 19.2.0, plus frameworks like Next.js (15.x-16.x), React Router, and others such as Waku and RedwoodSDK.
The patch deployment backfired momentarily, rendering Cloudflare’s network unavailable before engineers rolled it back and restored services by 9:20 UTC.
“This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability,” the company stated in updates posted throughout the morning.
Cloudflare had proactively deployed WAF rules on December 2 to block exploits, automatically shielding proxied traffic for all customers, including free plans. No exploit attempts were detected via these rules prior to the outage.
React2Shell has already drawn real-world attention, with AWS reporting exploitation by China-linked groups like Earth Lamia and Jackpot Panda within hours of disclosure.
Proof-of-concept exploits circulate widely, prompting urgent patch recommendations for React 19.2.1 and updated Next.js versions. Rapid7 and others warn that even apps without explicit server functions remain at risk if supporting React Server Components.
This marks Cloudflare’s second major hiccup in weeks, following a November 18 outage from Bot Management bugs and a June incident impacting Zero Trust services.
CEO Matthew Prince previously called the prior event the “worst since 2019.” Cloudflare assures full recovery and ongoing monitoring, urging React users to update immediately.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
