Cloudflare Outage Linked to React2Shell Mitigation Efforts
â–¼ Summary
– Cloudflare experienced a widespread global outage, causing websites to display “500 Internal Server Error” messages.
– The outage was triggered by emergency mitigations Cloudflare deployed for a critical, actively exploited vulnerability (CVE-2025-55182/React2Shell) in React Server Components.
– The vulnerability allows unauthenticated attackers to execute remote code on affected React and Next.js applications via malicious HTTP requests.
– Multiple China-linked hacking groups have begun exploiting this flaw, and functional proof-of-concept exploits are already available.
– This is the latest in a series of recent Cloudflare outages, following significant incidents in November and June of this year.
A significant disruption to Cloudflare’s global network earlier today resulted in widespread website outages, with many users encountering a “500 Internal Server Error.” The company has clarified that the incident was not the result of a cyberattack but stemmed from its own emergency efforts to patch a critical security vulnerability. The outage was directly linked to the deployment of mitigations for a severe remote code execution flaw in React Server Components, known as React2Shell (CVE-2025-55182). This vulnerability is currently being exploited by malicious actors, prompting urgent defensive actions across the industry.
According to a detailed post-mortem from Cloudflare CTO Dane Knecht, the problem occurred while engineers were modifying the platform’s body parsing logic. These changes were intended to detect and block attempts to exploit the newly disclosed React vulnerability. The update inadvertently caused a failure that impacted roughly 28% of all HTTP traffic flowing through Cloudflare’s systems, affecting a substantial subset of their customer base. Knecht emphasized that the outage was an unintended consequence of their security response, not an external assault on their infrastructure.
The React2Shell vulnerability presents a serious threat, as it allows attackers to execute arbitrary code on vulnerable servers. It exists within the ‘Flight’ protocol of React Server Components (RSC). By sending specially crafted HTTP requests to React Server Function endpoints, unauthenticated attackers can compromise applications built with React and popular frameworks like Next.js. The flaw specifically affects React versions 19.0 through 19.2.0, impacting default configurations of packages such as react-server-dom-webpack and react-server-dom-turbopack.
Security researchers have confirmed that exploitation is already underway. Teams at Amazon Web Services have observed several hacking groups with links to China, including Earth Lamia and Jackpot Panda, actively leveraging this vulnerability. These attacks began mere hours after the flaw’s public disclosure. The NHS England National CSOC has also issued warnings, noting that functional proof-of-concept exploit code is circulating. They assess that continued successful exploitation in real-world attacks is highly probable, urging all organizations to apply patches immediately.
This incident marks another major service disruption for Cloudflare in recent months. Last month, the company endured what its CEO described as its worst outage since 2019, which took its global network offline for nearly six hours. Another widespread issue in June caused authentication failures and connectivity problems across multiple regions. Today’s event underscores the complex challenges infrastructure providers face when rapidly responding to critical, actively exploited security threats, where defensive measures can sometimes have unintended side effects on service stability.
(Source: Bleeping Computer)
