Cloudflare blames Friday outage on borked fix for React2shell vuln

Amid new reports of attackers pummeling a maximum security hole (CVE-2025-55182) in the React JavaScript library, Cloudflare's technology chief said his company took down its own network, forcing a widespread outage early Friday, to patch React2Shell.

The network failure, which affected about 28 percent of HTTP traffic served by Cloudflare and caused websites around the world to go dark, "was not caused, directly or indirectly, by a cyber attack on Cloudflare's systems or malicious activity of any kind," said Cloudflare Chief Technical Officer Dane Knecht in a Friday blog.

"Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components," he added.

Cloudflare's snafu follows multiple reports from threat intel bods about attackers battering the critical React2Shell flaw, and several proof-of-concepts – some working, some fake – circulating on the internet ...