Cloudflare Outage as Chinese Hackers Begin Actively Exploiting React2Shell (CVE-2025-55182) Zero-Day
A major cybersecurity development unfolded today as Cloudflare briefly went offline after pushing an emergency Web Application Firewall (WAF) rule designed to mitigate the newly disclosed React2Shell vulnerability, officially tracked as CVE-2025-55182. The flaw, rated CVSS 10.0, allows unauthenticated Remote Code Execution (RCE) through React Server Components (RSC).
Within hours of the public disclosure, cybersecurity researchers detected active exploitation by China-linked threat groups, accelerating global concerns around the zero-day.
This article breaks down the incident, the threat actors involved, why Cloudflare's infrastructure stumbled, and what developers must do immediately to protect their applications.
What Is React2Shell (CVE-2025-55182)?
React2Shell is a critical vulnerability affecting:
- React 19.0, 19.1.0, 19.1.1, 19.2.0
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
The flaw stems from a dangerous decoding weakness inside React Server Components and Server Functions. Attackers can craft malicious HTTP requests that trigger RCE on any server running the vulnerable RSC stack.
A full, in-depth breakdown is available in my previously published analysis here:
👉 React Server Components CVE-2025-55182 Next.js Vulnerability
This zero-day impacts leading frameworks including:
- Next.js 15 & 16
- React Router (RSC mode)
- Waku
- RedwoodSDK
- Expo (when using RSC)
- Vite RSC plugin
- Parcel RSC
This means a huge percentage of modern JavaScript applications are exposed.
For developers working with React, Next.js, or JavaScript-based SSR frameworks, I regularly share web security insights here:
👉 View my posts
How React2Shell Is Being Exploited (Technical Behavior)
AWS researchers observed threat actors performing:
- whoami execution
- Reading sensitive files (/etc/passwd)
- Writing markers such as /tmp/pwned.txt
- Automated scanning for unpatched systems
- Attempts to chain React2Shell with other N-day exploits
This shows attackers are not merely probing, they are actively attempting post-exploitation behavior consistent with RCE compromise.
Chinese Threat Groups Begin Weaponizing the Vulnerability
Amazon Web Services (AWS) confirmed that two China-linked threat actors have already incorporated React2Shell into their exploitation pipelines:
Earth Lamia
Known for:
- Attacks exploiting SAP NetWeaver vulnerabilities
- Targeting financial, logistics, retail, education, and government sectors
- Operations across LATAM, Middle East, and Southeast Asia
Jackpot Panda
A threat group linked to:
- Online gambling ecosystem attacks
- Supply-chain compromise of CloudChat (2022)
- Deployment of XShade and CplRAT malware
- Chinese-speaking domestic surveillance campaigns
AWS's detailed threat intelligence report is available here: 👉 AWS MadPot Analysis
These groups were observed weaponizing React2Shell within hours of public disclosure highlighting the urgency for all developers and organizations to patch now.
Cloudflare's Outage: What Went Wrong?
Cloudflare confirmed that this morning's widespread 500 Internal Server Errors were not caused by an attack but by a faulty WAF rule update deployed to block React2Shell exploit patterns.
In Cloudflare's official statement:
“A change made to how Cloudflare's Web Application Firewall parses requests caused Cloudflare's network to be unavailable for several minutes… This was not an attack.”
Their full explanation can be read here: 👉 Cloudflare outage explanation
Why the outage occurred:
- The WAF rule incorrectly parsed RSC exploit payload signatures
- It triggered a cascading failure across multiple Cloudflare PoPs
- Several platforms and applications experienced temporary downtime
- Cloudflare rolled the rule back and restored stability
This highlights a key issue with global WAF deployment:
One misconfigured rule can affect the entire network instantly.
Who Is Affected by React2Shell? - Developer Checklist
You're likely vulnerable if you use:
Frameworks
- Next.js 15.0.x - 15.5.x
- Next.js 16.0.x
- React Router (unstable RSC APIs)
- Expo RSC
- Waku
- Redwood SDK
- Vite RSC plugin
- Parcel RSC toolchain
Environment Risk
- Node.js servers
- Vercel serverless functions
- Cloudflare Workers (via SSR)
- AWS Lambda / Lambda@Edge
- Any custom RSC-enabled SSR environment
For a professional audit or help securing your application: 👉 secure your Next.js applications
How to Fix the React2Shell Vulnerability
Update React Immediately
Install patched versions:
npm install react@19.0.1
npm install react@19.1.2
npm install react@19.2.1
Update Next.js
Install patched versions:
npm install next@15.0.5
npm install next@15.1.9
npm install next@15.2.6
npm install next@15.3.6
npm install next@15.4.8
npm install next@15.5.7
npm install next@16.0.7
If you're on a canary build:
npm install next@14
Always rebuild and redeploy after patching.
Cloudflare-Specific Mitigations
If you use Cloudflare:
- Reset WAF rules to default
- Manually add safer React2Shell filter signatures
- Avoid applying broad WAF regex until tested
- Monitor logs for unusual access attempts
- Enable Rate Limiting & Bot Fight Mode
Broader Cybersecurity Implications
React2Shell demonstrates:
- The speed threat actors operate today
- The scale of frameworks relying on RSC
- The complexity of modern WAF systems
- The risk interdependency of JavaScript ecosystems
- The need for rapid patching cycles
Even tech giants like Cloudflare are affected when responding to zero-day threats at global scale.
Conclusion
React2Shell (CVE-2025-55182) is one of the most severe RSC vulnerabilities ever disclosed. The combination of:
- Active Chinese threat exploitation
- Cloudflare's emergency WAF failure
- Widespread framework exposure
- Unauthenticated remote code execution
…makes this a critical, time-sensitive event for developers, security teams, and hosting providers.
Patch immediately, verify your infrastructure, and continue monitoring official advisories.
For ongoing updates and professional insights into JavaScript, RSC and cybersecurity vulnerabilities, explore my posts: 👉 web security insights
