Cloudflare’s Global Outage Linked to Emergency React2Shell Patch Deployment
On December 5, 2025, Cloudflare experienced a significant global network disruption lasting approximately 25 minutes. This outage was traced back to an internal modification in its Web Application Firewall (WAF), implemented urgently to address a critical vulnerability in React Server Components.
Incident Overview
The disruption commenced around 8:47 GMT, affecting Cloudflare’s Dashboard, APIs, and services that rely on its proxy. Users worldwide encountered 500 Internal Server Errors, impacting numerous websites, including prominent platforms such as Coinbase, Claude AI by Anthropic, Zerodha, and Groww.
Cloudflare’s status page confirmed that the outage resulted from changes in the WAF’s request parsing mechanisms. These changes were swiftly deployed to mitigate CVE-2025-55182, a severe remote code execution (RCE) vulnerability, colloquially known as React2Shell.
Understanding React2Shell
Disclosed on December 3, 2025, React2Shell exploits insecure deserialization within React’s Server Components Flight protocol. This flaw allows unauthenticated attackers to execute arbitrary code by sending malicious HTTP requests to server function endpoints.
The vulnerability affects React versions 19.0 through 19.2.0 and extends to frameworks like Next.js (versions 15.x to 16.x), React Router, Waku, and RedwoodSDK.
Cloudflare’s Response and Subsequent Outage
In response to the React2Shell disclosure, Cloudflare proactively deployed WAF rules on December 2 to block potential exploits, thereby automatically protecting all proxied traffic, including that of free-tier customers. Notably, no exploit attempts were detected through these rules before the outage.
However, the rapid deployment of additional WAF modifications on December 5 inadvertently led to a temporary network unavailability. Cloudflare’s engineering team promptly identified the issue, rolled back the changes, and restored services by 9:20 UTC.
The company clarified, This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability.
Broader Implications and Industry Response
The React2Shell vulnerability has garnered significant attention, with reports of exploitation by groups such as Earth Lamia and Jackpot Panda within hours of its disclosure. Proof-of-concept exploits are circulating widely, prompting urgent patch recommendations for React 19.2.1 and updated Next.js versions. Security firms like Rapid7 have cautioned that even applications without explicit server functions remain at risk if they support React Server Components.
Cloudflare’s Recent Challenges
This incident marks Cloudflare’s second major service disruption in recent weeks. On November 18, the company faced an outage due to issues with its Bot Management system. Earlier in June, a separate incident impacted its Zero Trust services. CEO Matthew Prince previously described the November event as the worst since 2019.
Despite these challenges, Cloudflare has assured a full recovery and continues to monitor its systems closely. The company urges all React users to update their software promptly to mitigate potential risks associated with React2Shell.
