Yes, Cloudflare has acknowledged that modifications made to its systems to address the serious “React2Shell” vulnerability directly caused a recent outage.
The global service outage that occurred on Friday, December 5, 2025, resulted in the failure of websites and online platforms all across the world, was caused by an internal error “500 Internal Server Error” notice, in the emergency patch rollout for a security vulnerability that affected the whole industry rather than a cyberattack.
The event has now been attributed by the internet infrastructure business to the implementation of emergency mitigations intended to address a severe remote code execution vulnerability in React Server Components that is currently being aggressively exploited in attacks.
“Neither a cyberattack on Cloudflare’s systems nor any other malicious activity was directly or indirectly responsible for the problem. In a post-mortem, Cloudflare CTO Dane Knecht stated that it was instead caused by modifications made to our body parsing mechanism while trying to identify and address an industry-wide vulnerability found in React Server Components this week.
“A subset of customers were impacted, accounting for approximately 28% of all HTTP traffic served by Cloudflare.”
This high-severity security bug (named React2Shell) affects the React open-source JavaScript library for web and native user interfaces, as well as dependent React frameworks including Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and RedwoodSDK.
The vulnerability was discovered in the React Server Components (RSC) ‘Flight’ protocol, which allows unauthenticated attackers to gain remote code execution in React and Next.js applications by submitting malicious HTTP requests to React Server Function endpoints.
While numerous React packages in their default configuration (e.g., react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack) are susceptible, the problem only affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 released within the last year.
The continuous exploitation of React2Shell according to security researchers with Amazon Web Services (AWS) have reported that several China-affiliated hacking groups, such as Earth Lamia and Jackpot Panda, have started exploiting the React2Shell vulnerability hours after the max-severity flaw was revealed, though the impact is not as widespread as initially thought.
Cloudflare’s Global Network was unavailable for over six hours last month due to another global outage, which CEO Matthew Prince called the “worst outage since 2019.”
In June, Cloudflare resolved yet another significant outage that affected Google Cloud’s infrastructure and resulted in Access authentication failures and Zero Trust WARP connectivity problems in several locations.
CVE-2025-55182 (also known as “React2Shell”) is the vulnerability that triggered the emergency action. It is a critical remote code execution (RCE) bug (10.0 CVSS score) discovered in the React Server Components (RSC) ‘Flight’ protocol that may be abused without authentication via unsafe deserialisation.
The vulnerability was aggressively exploited in the wild by threat actors linked to China within hours of its public announcement on December 3, 2025, prompting immediate action by service providers including Cloudflare.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
