Cloudflare faced a major global outage earlier today, causing many websites to show a “500 Internal Server Error” message. The company has now confirmed that the issue was triggered by its own emergency patch, not by an attack.
Cloudflare said the disruption happened after it deployed a change to its Web Application Firewall. The update was pushed urgently to protect customers from a new and critical security flaw in React Server Components. The vulnerability, tracked as CVE-2025-55182 and known as React2Shell, is now being actively exploited.
React2Shell is a maximum-severity remote code execution flaw. It affects React itself and several major frameworks built on top of it, including Next.js, React Router, RedwoodSDK, Waku, and other libraries that rely on React Server Components. The issue sits inside the RSC “Flight” protocol, which allows attackers to run code on vulnerable apps by sending malicious HTTP requests.
The flaw impacts only recent versions of React, specifically versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Several React packages, including react-server-dom-parcel, turbopack, and webpack variants, are vulnerable in their default configuration.
Security teams say attacks have already started. Researchers at AWS reported that multiple China-linked hacking groups, including Earth Lamia and Jackpot Panda, began exploiting the flaw within hours of it being disclosed. NHS England’s cybersecurity center also confirmed that working proof-of-concept exploits are already public and warned that more attacks are likely.
This is the second major outage Cloudflare has faced in recent weeks. Last month, the company’s global network went down for almost six hours in what the CEO called the worst incident since 2019. In June, Cloudflare also dealt with a widespread issue that disrupted Zero Trust services and even affected parts of Google Cloud.
