This morning, online, 500 errors appeared more often than usual.
The culprit lay with Cloudflare. But unlike the November 18 incident, this one was shorter—lasting less than an hour.*
The company initially attributed the cause to a WAF update. The objective, it explained, was to mitigate the React vulnerability that had been disclosed last week.
Root Cause: a Logging Issue
This vulnerability, now regarded as critical (CVSS score: 10), resides in the server-side React components. More precisely, it involves the logic that allows a client to invoke these components. Through insecure handling of inputs, it opens the door to unauthenticated remote code execution. Versions 19.0, 19.1.0, 19.1.1 and 19.2.0 of the packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack are affected.
Unable to patch these packages directly, Cloudflare rolled out, on December 2, a WAF rule. “A simple band-aid,” recalled its CTO, noting the emergence of variants of the exploit.
Regarding this morning’s incident, the person in charge added a clarification, while awaiting a more detailed report: the problem originated from a logging disablement intended to mitigate the vulnerability…
* Ticket opened at 9:56 a.m. Deployment of the fix announced at 10:12 a.m. Incident deemed resolved at 10:20 a.m.
