Cloudflare Outage: React WAF Patch Broke the Internet

Cloudflare deployed a WAF rule to protect customers from CVE-2025-55182 (React Server Components RCE). The rule caused the outage it was meant to prevent.

Affected: Fortnite, Roblox, PlayStation Network, LinkedIn, Coinbase, Zoom, Spotify, ChatGPT, Perplexity, and even Downdetector. One X commenter joked: We’re gonna need a downdetectordowndetector at this rate 😭

Duration: ~30-40 minutes. Users saw 500 Internal Server Errors. Root cause: “A change to its Web Application Firewall (WAF) request parsing… briefly made parts of the network fail.”

Second Major Outage in Weeks

This is Cloudflare’s third major incident in ~3 months:

  • November 18, 2025: 5.5-hour outage (Bot Management feature file bug)
  • December 5, 2025: 30-minute outage (React CVE WAF rule)

Cloudflare handles ~20% of global web traffic. When it fails, the cascading effect is instant and global.

The WAF Warning: “Just a Bandaid”

Cloudflare announced WAF rules for React CVE: “No action needed; the rule is enabled by default.”

One user immediately warned: “Please remember that a WAF rule is just a bandaid. Upgrade React today. There will be variations of exploit that will need new protections.”

Cloudflare Workers team confirmed: “If you deploy on Cloudflare Workers, you are protected. The Workers security model prevents this exploit at the runtime layer. For users that rely on WAF to protect self-hosted applications, more variants of this exploit are already surfacing and we are evaluating each one. As always the best way to stay protected is to upgrade to the patched versions of React and NextJS as soon as possible.”

Translation: WAF rules buy time, but proper patching is the only real fix.

The Classic Debugging Story

One user asked: “Describe a debugging session that lasted way too long, only to be solved by something incredibly simple (the classic ‘typo’ story).”

Today’s answer: Cloudflare spent hours engineering a WAF rule to block React RCE exploits, only for that same rule to accidentally parse requests incorrectly and crash 20% of the internet for 40 minutes.

Classic developer nightmare: the fix becomes the bug.

Market Impact

Cloudflare stock (NET) fell 4.5% in premarket trading. Two outages in 3 weeks shifted trader focus from “growth story” to “reliability concerns.” The stock trades at 30x expected 2025 sales—a premium that demands flawless execution.

Cloudflare’s React CVE response shows both strengths and weaknesses: rapid WAF deployment (good), but insufficient testing caused global outage (bad). As one commenter noted, WAF rules are bandaids. The real lesson: patch React/Next.js immediately, don’t rely on infrastructure providers to protect unpatched code.

RELATED ARTICLESMORE FROM AUTHOR