Cloudflare blames Friday outage on borked fix for React2shell vuln
Summary
Cloudflare says a botched attempt to detect and mitigate the newly disclosed React2Shell vulnerability (CVE-2025-55182) triggered a configuration change to its body-parsing logic and brought down about 28% of the HTTP traffic it serves, causing a widespread outage early on Friday. The company stressed the outage was not caused by a cyber attack.
The React2Shell flaw is an insecure deserialization issue in React Server Components (CVSS 10.0) that allows unauthenticated remote code execution and affects frameworks like Next.js. The bug was disclosed on 3 December 2025, POCs began circulating within a day or two, and multiple threat actors — including state‑linked groups — were reported attempting exploitation. Researchers warn that both functional and fake proof‑of‑concepts are proliferating, complicating mitigation efforts and sparking debate about disclosure practices.
Key Points
- Cloudflare took large parts of its network down while deploying a mitigation; the change to body parsing logic caused service disruption impacting ~28% of HTTP traffic.
- React2Shell (CVE-2025-55182) is a critical unauthenticated deserialization RCE in React Server Components, rated CVSS 10.0 and easy to exploit.
- Proofs‑of‑concept appeared rapidly after disclosure; some are legitimate and effective, others are invalid or misleading.
- Multiple actors, including China‑linked groups named by AWS, were observed scanning and attempting exploitation — CISA added the bug to its Known Exploited Vulnerabilities list and UK authorities issued warnings.
- Security community debate: some argue for faster, broader sharing of mitigation details to give defenders an edge; others defend staged disclosure to allow patches to be deployed first.
- Observed attacker behaviours include scanning for RCE, attempts to steal AWS credentials/configuration, and installation of downloaders contacting C2 infrastructure.
Context and relevance
This incident underlines how pervasive open‑source libraries are across the web and how quickly high‑severity flaws can ripple into global outages and active exploitation. The mix of working and fake POCs is sowing confusion among defenders, while nation‑level and criminal groups are lining up to weaponise the flaw for credential theft, initial access and ransomware.
For organisations running React, Next.js, or relying on CDN/WAF protections from providers like Cloudflare, this is a reminder to prioritise patching, verify mitigations against credible POCs, and monitor for indicators such as unusual scans, attempts to access config/credentials, or unexpected downloader activity.
Why should I read this?
Because if you host React/Next.js services or use Cloudflare, this directly affects you. The hole is nasty, exploits hit fast, and even big vendors can trip over mitigations and cause outages — so patch, check your WAF rules, and don’t trust every ‘POC’ you see online.
Author style
Punchy: this is urgent and actionable. Treat the story as a wake‑up call — patch immediately, validate mitigations, and keep an eye on threat intel feeds. The outage shows even defenders’ responses can cause collateral damage if rushed or misconfigured.