Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Cloudflare firewall reacts badly to React exploit mitigation

Cloudflare’s network suffered a brief but widespread outage Friday, after an update to its Web Application Firewall to mitigate a vulnerability in React Server Components went wrong.

At 9:09 a.m. UTC, the company reported that it was investigating issues with the Cloudflare Dashboard and related APIs, warning that customers might see requests fail or errors displayed.

Just 10 minutes later, it had deployed a fix — but not before a flood of reports of problems with Cloudflare and its customers poured into uptime tracking sites such as Downdetector.com.

During the same window, Downdetector saw a spike in problem reports for enterprise services including Shopify, Zoom, Claude AI, and Amazon Web Services, and a host of consumer services from games to dating apps.

Cloudflare explained the outage on its service status page: “A change made to how Cloudflare’s Web Application Firewall parses requests caused Cloudflare’s network to be unavailable for several minutes this morning. This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React Server Components.”

That vulnerability, tracked as CVE-2025-55182, enables attackers to remotely execute code on web servers running the React 19 library. Cloudflare was no doubt attempting to protect those of its customers who have not yet had an opportunity to patch the vulnerability in the two days since it was revealed.

The wobble in Cloudflare’s services comes just two weeks after a much bigger one rendering its customers’ websites inaccessible or unreliable for hours on Nov. 18. That was caused by one Cloudflare application generating a configuration file that was too big for another application to parse, bringing systems to a halt.

This outsized impact of that small failure on websites around the world was reminiscent of a bug that hit AWS services the previous month. A coding error in its DNS systems led to a DynamoDB endpoint becoming inaccessible. That wouldn’t have been so bad, but many other services used by AWS internally and by its customers relied on it, so they too were affected.

There are some advantages in relying on single service providers such as Cloudflare or AWS for these tasks — including economies of scale and service consistency. But it also makes them single points of failure: when they go down, everything goes down with them. In such a monoculture, the alternatives that might be able to take up the slack have already been weeded out.

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.