A security patch intended to fix a vulnerability in the popular JavaScript library React led to an unexpected conflict with Cloudflare’s Web Application Firewall (WAF), causing the firewall to block legitimate web traffic for numerous websites. The incident highlighted the complex interactions between application-level security fixes and network-level protection rules.

The issue began after the React team released a patch to mitigate a server-side rendering (SSR) cross-site scripting (XSS) vulnerability. The fix involved inserting a specific HTML comment, <!– –>, into the rendered output to neutralize potential exploits. This mitigation, however, directly conflicted with a pre-existing rule in the Cloudflare Managed Ruleset.

The React Patch and WAF Rule Conflict

The core of the problem was a collision between two independent security measures. The React vulnerability allowed attackers to inject malicious code through the library’s SSR capabilities. The developers’ chosen method to patch this was to insert an empty HTML comment, a standard practice to break up strings that could be interpreted as executable code.

Simultaneously, Cloudflare’s WAF contained a specific security rule designed to detect and block XSS attacks that use the exact same <!– –> comment string as part of an exploit technique. Consequently, when websites updated to the patched version of React, their legitimate, now-secure code began triggering Cloudflare’s XSS detection rule, resulting in widespread false positives and blocked requests.

Impact and Resolution

Developers using frameworks built on React, such as NodeJS, Next.js, and Gatsby, reported that their sites became inaccessible to users after applying the security update. The issue gained visibility as developers discussed the blockages on platforms like GitHub, identifying the connection between the React patch and the WAF behavior.

In response to the widespread reports, Cloudflare acknowledged the issue of false positives. The company deployed an emergency release to update the specific WAF rule that was being incorrectly triggered. Cloudflare CTO John Graham-Cumming confirmed via Twitter that a change had been pushed to resolve the conflict, restoring access to the affected websites.

Source: https://www.csoonline.com/article/4101649/cloudflare-firewall-reacts-badly-to-react-exploit-mitigation-2.html