Cloudflare says Friday outage caused by critical React security update, not malicious cyberattack
Cloudflare suffered a major service outage early Friday morning, and now reveals the disruption was caused by a faulty update intended to harden systems against the much-publicized, critical React2Shell vulnerability.
-
Second major Cloudflare outage in two weeks knocked out 28% of traffic for 25 minutes due to botched security update, not attack.
-
Configuration change meant to patch React vulnerability triggered system failure across older proxy servers affecting millions.
-
Despite vowing fixes after November outage, Cloudflare struggles with same configuration error problem, now freezing all non-essential changes.
The incident – marking the company’s second major outage in just over two weeks – began at 3:47 AM Eastern Time and lasted just about 25 minutes.
The December 5th Cloudflare outage knocked out “approximately 28% of all HTTP traffic” moving through Cloudflare’s network – equal to millions of users and businesses relying on Cloudflare’s CDN, WAF, and security layers to stay online.
To put it in perspective, Cloudflare powers internet requests for millions of websites worldwide, serving 81 million HTTP requests per second.
React is also one of the most widely used JavaScript libraries for building websites.
Not a cyberattack
Fast forward to a post-incident disclosure, published later in the day, Cloudflare stressed that the failure was “not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind.”
The San Francisco-based company instead said the incident was the result of an internal configuration change tied to the urgent security update to mitigate the critical React2Shell vulnerability (CVE-2025-55182), only disclosed in a bombshell announcement on Thursday.
The bug, which allows attackers to run privileged, arbitrary code on servers without any authorization, was also found to already be in full use by Chinese nation-state actors, leading IT teams scrambling to apply the fix.
In fact, within hours of the public disclosure, AWS security teams reported observing several of Beijing’s state-sponsored hacking groups attempting to exploit React Server Components, including the China nexus groups Earth Lamia and Jackpot Panda.
Still, “Any outage of our systems is unacceptable, and we know we have let the Internet down again following the incident on November 18.” Cloudflare wrote in the disclosure blog.
What happened?
The company said it had been rolling out protections against the flaw, increasing its HTTP buffer size from 128KB to 1MB to catch larger malicious payloads.
Initially, the gradual deployment of the update was smooth until disabling an internal WAF (Web Application Firewall) testing tool that couldn’t support the new buffer size.
The change uses Cloudflare’s global configuration system, which pushes updates across the entire global network within seconds.
Within moments, a system involving a bug found deep in Cloudflare’s older FL1 proxy “triggered a Lua error and caused every affected request to fail with an HTTP 500.”
Although only customers using the FL1 proxy and Cloudflare’s Managed Ruleset were affected, it still amounted to more than a quarter of all Cloudflare-served traffic.
Ironically, the cloud company said its China network remained unaffected.
Cloudflare engineers were able to quickly identify what went wrong, rolled back the change at 04:11 a.m. ET, and restored traffic one minute later.
Promising changes, again
Last month’s massive Cloudflare outage – also caused by a configuration error and was described as the company's "worst disruption since 2019" by Cloudflare CEO Mathew Prince – impacted millions of users worldwide.
From major banks to mom-and-pop businesses, individuals were cut off from the internet and from hundreds of popular sites, including ChatGPT, X, Discord, Spotify, and DoorDash. Down for only about two hours, the fix reverberated across the internet for nearly half a day.
Cloudflare promised “architectural changes” to prevent a repeat of the November 18th outage - but those updates are apparently still in progress.
To address the gaps, Cloudflare says it will accelerate several initiatives:
- Enhanced Rollouts & Versioning - for all configuration data, not just software.
- Streamline "break glass" capabilities - to ensure safe emergency operations even when multiple systems falter.
- “Fail-open” error handling - replace hard failures with safety defaults to prevent traffic drops caused by corrupt or out-of-range config files.
Until those improvements are complete, Cloudflare says it has frozen all non-essential network changes.
“On behalf of the team at Cloudflare we want to apologize for the impact and pain this has caused again to our customers and the Internet as a whole,” the company said, for the second time in less than a month.
Unlock more exclusive Cybernews content on YouTube.
