The internet had a rough morning when countless websites suddenly began throwing "500 Internal Server Error" messages. From small blogs to large enterprise platforms, traffic across the globe was briefly disrupted — all pointing back to Cloudflare, one of the world's biggest internet infrastructure providers.

Cloudflare has now come forward with an explanation: the outage wasn't the work of hackers, but an unintended consequence of urgent security measures deployed to protect customers from a newly discovered and actively exploited vulnerability in React Server Components.

What Triggered the Outage?

Cloudflare's CTO, Dane Knecht, clarified that the disruption stemmed from emergency changes made to their internal request-handling logic. The company had been rolling out mitigations for React2Shell, a maximum-severity remote code execution (RCE) flaw affecting the React ecosystem and several popular frameworks built on top of it.

The quick patch effort had an unexpected side effect — it interfered with Cloudflare's body parsing logic, causing a significant subset of traffic to fail. According to Cloudflare's post-mortem, around 28% of all HTTP traffic passing through its global network was affected.

Despite the scale of the disruption, Cloudflare stressed that this was not the result of a cyber attack or any form of malicious activity. Instead, it was a rare case where critical security work accidentally caused a major operational issue.

Understanding the React2Shell Vulnerability

The vulnerability at the centre of all this — tracked as CVE-2025-55182 — is a serious RCE flaw inside the React Server Components (RSC) "Flight" protocol.

In simple terms, attackers can exploit this bug by sending special HTTP requests that trick React and Next.js applications into executing arbitrary code on the server. What makes it especially dangerous is that:

Frameworks such as Next.js, React Router, Waku, Redwood, and tooling from Parcel and Vite are among the ecosystems exposed to the flaw.

While many default setups of RSC packages — including react-server-dom-webpack and react-server-dom-turbopack — are vulnerable, older or non-RSC-based React applications are not affected.

Active Exploitation Already Underway

The security community is treating React2Shell as a high-urgency threat. Just hours after the vulnerability details were released publicly, threat intelligence teams began detecting exploitation attempts.

Amazon Web Services (AWS) researchers reported that multiple China-linked hacking groups, including the well-known Earth Lamia and Jackpot Panda clusters, were already abusing the vulnerability.

The UK's NHS England National Cyber Security Operations Centre (CSOC) echoed the alarm, noting that functional proof-of-concept exploits have surfaced online and warning that continued real-world attacks are "highly likely."

In short: this is a flaw attackers are moving quickly to take advantage of.

Cloudflare's Recent Troubles

The company is no stranger to global-scale disruptions.
Just last month, a massive outage crippled Cloudflare's Global Network for almost six hours — an incident CEO Matthew Prince called the worst outage they've experienced since 2019.

In June, Cloudflare also scrambled to fix a separate incident that broke Access authentication and caused Zero Trust WARP failures across multiple regions, even affecting portions of Google Cloud.

With this latest outage tied to urgent security patching, it highlights the delicate balance between rapid mitigation and maintaining the stability of a network that powers a large portion of the internet.