Cloudflare’s international community suffered a quick however widespread disruption this morning, lasting roughly 25 minutes, resulting from an inner change in its Internet Software Firewall (WAF) designed to counter a crucial vulnerability in React Server Parts.
The incident, which started round 8:47 GMT, affected the Cloudflare Dashboard, APIs, and proxied providers, inflicting 500 Inside Server Errors for numerous web sites worldwide, together with high-profile platforms like Coinbase, Claude AI by Anthropic, Zerodha, and Groww.
Cloudflare’s standing web page confirmed the outage stemmed from modifications to how the WAF parses incoming requests, applied urgently to mitigate CVE-2025-55182, a maximum-severity (CVSS 10.0) distant code execution (RCE) flaw dubbed “React2Shell.”
Disclosed on December 3, this vulnerability exploits insecure deserialization in React’s Server Parts “Flight” protocol, enabling unauthenticated attackers to execute arbitrary code through malicious HTTP requests to server operate endpoints.
Affected variations embrace React 19.0 by way of 19.2.0, plus frameworks like Subsequent.js (15.x-16.x), React Router, and others equivalent to Waku and RedwoodSDK.
The patch deployment backfired momentarily, rendering Cloudflare’s community unavailable earlier than engineers rolled it again and restored providers by 9:20 UTC.
“This was not an assault; the change was deployed by our workforce to assist mitigate the industry-wide vulnerability,” the corporate said in updates posted all through the morning.
Cloudflare had proactively deployed WAF guidelines on December 2 to dam exploits, mechanically shielding proxied visitors for all clients, together with free plans. No exploit makes an attempt had been detected through these guidelines previous to the outage.
React2Shell has already drawn real-world consideration, with AWS reporting exploitation by China-linked teams like Earth Lamia and Jackpot Panda inside hours of disclosure.
Proof-of-concept exploits flow into extensively, prompting pressing patch suggestions for React 19.2.1 and up to date Subsequent.js variations. Rapid7 and others warn that even apps with out specific server features stay in danger if supporting React Server Parts.
This marks Cloudflare’s second main hiccup in weeks, following a November 18 outage from Bot Administration bugs and a June incident impacting Zero Belief providers.
CEO Matthew Prince beforehand known as the prior occasion the “worst since 2019.” Cloudflare assures full restoration and ongoing monitoring, urging React customers to replace instantly.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
