Cloudflare Down: 'React2Shell' Patch Breaks the Internet, Not DDoS

What Happened

On December 5, 2025, at approximately 8:56 AM UTC, a massive percentage of the internet simply stopped working. Cloudflare, the backbone for millions of websites, suffered a critical outage that impacted nearly 28% of all HTTP traffic globally.

While initial rumors on social media pointed to a massive Distributed Denial of Service (DDoS) attack, the reality was something far more technical—and perhaps more concerning. The outage was caused by Cloudflare’s own attempt to fix a security flaw. The company deployed a mitigation patch for the newly disclosed “React2Shell” vulnerability (CVE-2025-55182), but the fix itself contained a fault that triggered a cascading failure across their network.

Service was largely restored by 9:12 AM UTC, but for those 16 minutes, the internet effectively held its breath.

Key Details

• The Cause: A faulty configuration change deployed to mitigate CVE-2025-55182 (React2Shell).
• The Impact: An estimated 20-28% of global HTTP traffic was disrupted.
• Affected Services: Major platforms including DoorDash, Crunchyroll, and Cash App went offline or experienced severe errors.
• The Vulnerability: React2Shell is a critical unauthenticated Remote Code Execution (RCE) flaw affecting the React/Next.js ecosystem, publicly disclosed just two days prior.

Why It Matters

This incident highlights the extreme fragility of the modern web. When a single provider like Cloudflare sneezes, the entire internet catches a cold.

The Security Dilemma

Cloudflare was in an impossible position: leave the network open to the “React2Shell” vulnerability—which attacks were already actively exploiting—or deploy a rapid fix. They chose the latter, but the speed of deployment led to a catastrophic “bad patch” scenario. This underscores the high-stakes poker game of zero-day patch management.

For Site Owners

If you rely solely on one CDN or security provider, you are at the mercy of their uptime. While Cloudflare is generally incredibly reliable, today’s event is a reminder that redundancy is key for mission-critical applications.

The Backstory

The “React2Shell” vulnerability (CVE-2025-55182) was disclosed on December 3, 2025. It affects the React JavaScript library ecosystem, including widely used frameworks like Next.js. Because it allows for Remote Code Execution without authentication, it is considered a “severity 10” threat. Threat actors, including ransomware groups, began scanning for and exploiting this flaw almost immediately, forcing infrastructure providers like Cloudflare to race against the clock to shield their customers.

Expert Reactions

Security Analysts noted that while the outage was painful, the alternative—mass exploitation of the React2Shell vulnerability—could have been worse. “The incident highlights the risks of rapid mitigation in large-scale cloud infrastructure,” noted reports from SecurityWeek, “but also the ongoing threat posed by newly disclosed severe vulnerabilities in widely used software libraries.”

What’s Next

Cloudflare has already rolled back the problematic specific configuration and replaced it with a verified fix.

Timeline:

• Immediate: Service has been restored.
• Short Term: Expect a detailed “Post-Mortem” blog post from Cloudflare engineering explaining exactly how the configuration change bypassed their canary testing protections.
• Long Term: A renewed industry conversation about how to safely deploy global mitigations for ubiquitous software flaws like those in React.

The Bottom Line

Today’s internet blackout wasn’t an attack by hackers, but a self-inflicted wound during a rescue attempt. Cloudflare tried to shield the web from the “React2Shell” exploit and accidentally broke the shield. It’s a stark reminder of how centralized our digital infrastructure has become—and how difficult it is to balance speed with stability in the face of critical security threats.