Amid new reports of attackers pummeling a maximum security hole (CVE-2025-55182) in the React JavaScript library, Cloudflare’s technology chief said his company took down its own network, forcing a widespread outage early Friday, to patch React2Shell.
The network failure, which affected about 28 percent of HTTP traffic served by Cloudflare and caused websites around the world to go dark, "was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind," said Cloudflare Chief Technical Officer Dane Knecht in a Friday blog.
"Instead, it was triggered by changes being made to our body parsing logic while attempti…
Amid new reports of attackers pummeling a maximum security hole (CVE-2025-55182) in the React JavaScript library, Cloudflare’s technology chief said his company took down its own network, forcing a widespread outage early Friday, to patch React2Shell.
The network failure, which affected about 28 percent of HTTP traffic served by Cloudflare and caused websites around the world to go dark, "was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind," said Cloudflare Chief Technical Officer Dane Knecht in a Friday blog.
"Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components," he added.
Cloudflare’s snafu follows multiple reports from threat intel bods about attackers battering the critical React2Shell flaw, and several proof-of-concepts – some working, some fake – circulating on the internet, all of which started just hours after the bug was publicly disclosed.
All of this illustrates the ubiquity of open source code powering the internet, and according to at least one threat-hunting exec, should encourage the security community to rethink the whole disclosure process.
"Maybe we need to trust the security community and security providers more to act quickly and provide mitigations before threat actors are ready to exploit at a global scale," opined Radware VP of threat intel Pascal Geenens to The Register. "It’s a race, but more security providers would be able to win if they had access to complete and accurate information."
Chain React-ion
Here’s what we know thus far about the CVE, who is abusing it, and proofs-of-concept (POCs) that work, plus some that don’t.
On Wednesday, the React team disclosed the 10.0 CVSS rated flaw, an insecure deserialization vulnerability now dubbed React2Shell by Lachlan Davidson, the researcher who found and reported the bug. The flaw is easy to abuse: It does not require authentication and allows remote attackers to execute malicious code on vulnerable instances.
It also affects React frameworks and bundlers, notably web development framework Next.js.
We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure
As of Thursday, the British government warned that CVE-2025-55182 was under active exploitation, and noted several functional POCs in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities Catalog a day later.
Also on Thursday, Amazon issued an advisory and warned Beijing-backed crews began hammering the critical security hole within hours of disclosure, citing "active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda."
Other threat hunters say they are seeing similar abuse of React2Shell.
"We are tracking alleged PRC-affiliated groups and continue to investigate and confirm activity," Justin Moore, senior manager of threat intel research, at Palo Alto Network’s Unit told The Register on Friday.
"As of today, Unit 42 has confirmed a number of affected organizations across various sectors," Moore said. "We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure."
Meanwhile, security firm Bitdefender predicted: "Ransomware-as-a-Service (RaaS) groups and Initial Access Brokers (IABs) will rapidly weaponize this flaw to secure footholds in corporate networks as soon as a PoC is published."
According to Davidson, a functional POC started making the rounds about 30 hours after the bug’s disclosure, and he shared his POCs hours later, with full writeups coming soon.
Hacker maple3142 posted one of these POCs to GitHub, and Ox Security pen testers confirmed that it works. "This shows that this vulnerability is not just theoretical but actually highly risky, and should be patched immediately on your internet-facing services," Nir Zadok and Moshe Siman Tov Bustan said on Friday.
However, as Davidson and other researchers noted, fake PoCs are spreading like wildfire, too.
"Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC," Davidson wrote. "Common examples we’ve seen in supposed ‘POCs’ are vm#runInThisContext, child_process#exec, and fs#writeFile. This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what."
What this says about responsible disclosure
These invalid POCs, combined with limited details about the exploit itself, may have given attackers the advantage, according to Geenens. This is especially true "when open source software is involved, because anyone can access the details of the code changes required to fix the vulnerability," he told The Register.
Geenens doesn’t fault Davidson for waiting to share additional details or publish his POCs. "I think many security researchers would act exactly the same, trying to buy the security community time to develop protections and for organizations to deploy the update before widespread exploiting in the wild starts," he said.
But, he added, rapid exploitation attempts reported by AWS and others "suggest we may need to rethink this strategy."
- ‘Exploitation is imminent’ as 39 percent of cloud environs have max-severity React hole
- Beijing-linked hackers are hammering max-severity React bug, AWS warns
- Cloudflare suffers second outage in as many months during routine maintenance
- PRC spies Brickstormed their way into critical US networks and remained hidden for years
Government-backed cyber operatives have the hacking expertise – and deep pockets – necessary to quickly develop exploits based on limited info, Geenens explained.
"Not sharing the details of the exploit might give them the edge they need to get ahead of some organizations’ protections," he said. "The limited information led to inaccurate assumptions and invalid information circulating in the community, potentially affecting the mitigations some organizations have put in place and giving them a false sense of security." ®