Cloudflare reported a brief, widespread outage on Friday that caused websites and platforms to return a “500 Internal Server Error”. Cloudflare said the interruption was caused by a change to how its Web Application Firewall parses requests, a change deployed as an emergency measure to mitigate a critical vulnerability in React Server Components.
The flaw, tracked as CVE-2025-55182 and dubbed React2Shell, affects the React open-source JavaScript library and a number of dependent frameworks including Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc and RedwoodSDK. The vulnerability resides in the React Server Components “Flight” protocol.
Security researchers say the issue can allow unauthenticated attackers to achieve remote code execution by sending maliciously crafted HTTP requests to React Server Function endpoints. The flaw affects React releases 19.0, 19.1.0, 19.1.1 and 19.2.0, and multiple React server packages in their default configurations are vulnerable.
Researchers at Amazon Web Services reported that several China-linked hacking groups, including Earth Lamia and Jackpot Panda, have begun exploiting the vulnerability hours after it was disclosed. The NHS England National CSOC said on Thursday that functioning proof-of-concept exploits are circulating and warned that continued successful exploitation in the wild is highly likely; additional examples are already available.
Cloudflare emphasized the change was not an attack and was deployed to help mitigate the industry-wide vulnerability, and said it would share more information as it becomes available. The company has faced other major outages this year, including an incident last month that reportedly brought down its global network for almost six hours – an outage its CEO called the “worst outage since 2019” – and a separate disruption in June that affected Access authentication and Zero Trust services.