Buchodi reverse-engineered Cloudflare's obfuscated Turnstile script and discovered it traverses React's internal fiber tree — including component state, props, and hooks — before users can even interact with ChatGPT. The forensic teardown demonstrates that bot detection is reaching far deeper into application internals than most developers realize, fingerprinting the app's internal structure as part of its bot-vs-human determination.
The editorial argues that both the alarmed camp and the dismissive camp miss the deeper issue: React's fiber tree is attached to the DOM via __reactFiber$ properties, making it trivially accessible to any JavaScript on the page — analytics, ad networks, chat widgets, or bot detection. The real problem is that almost nobody treats this exposure as a security surface, despite it being inherent to how React works.
As noted in the editorial synthesis, a significant faction in the 593-comment HN discussion argued that Cloudflare's fiber tree inspection is not fundamentally different from reading the DOM — any script on a page already has full access to page content. They see the technique as a pragmatic bot-detection approach rather than an alarming intrusion into application internals.
As described in the editorial synthesis, another major faction in the HN discussion was alarmed that a CDN and bot-detection provider is reading React's internal component state, props, and hooks. Their concern is that this represents a CDN overstepping its role — sites embed Cloudflare for protection, not to have their application's internal data structures fingerprinted and inspected by a third party.
A security researcher writing under the handle Buchodi published a forensic teardown of the obfuscated JavaScript that Cloudflare injects on OpenAI's ChatGPT. The finding: before users can type a single character into the chat input, Cloudflare's Turnstile bot-detection script traverses React's internal fiber tree — the data structure React uses to track component state, props, hooks, and the virtual DOM. The script was heavily obfuscated, but Buchodi reverse-engineered it to reveal that it fingerprints the application's internal structure as part of its bot-vs-human determination.
The post hit 918 points on Hacker News, and the discussion quickly split into two camps: those alarmed that a CDN provider is reading application internals, and those pointing out that this is technically just "reading the DOM with extra steps." Both camps are missing the more important point: React's fiber tree has become a de facto public API that any script on your page can inspect, and almost nobody treats it that way.
React's reconciliation engine maintains a fiber tree — a linked list of nodes representing every component in your application. Each fiber node contains the component's type, its current state, pending state updates, props, refs, hooks (stored as a linked list on the fiber's `memoizedState`), and pointers to parent, child, and sibling fibers. This tree is attached to the DOM: every rendered DOM element has a property starting with `__reactFiber$` (or `__reactInternalInstance$` in older versions) that provides direct access to its corresponding fiber node.
Any JavaScript running on the page — analytics scripts, ad networks, chat widgets, bot detection — can call `Object.keys(element)` on any DOM node, find the React fiber key, and walk the entire component tree from there. This isn't an exploit. It's how React works. The fiber tree is reachable from the DOM by design, because React needs to associate DOM elements with their component state during event handling.
What Cloudflare's script appears to do is use this fiber traversal as a fingerprinting signal. A real React application will have a fiber tree with specific structural properties — depth, branching patterns, hook counts, state shapes — that are difficult for a headless browser or simple bot to replicate convincingly. It's clever bot detection: instead of just checking mouse movements or solving CAPTCHAs, it verifies that the page is running a genuine React application with real component state.
The Buchodi analysis focused on ChatGPT, but the architectural exposure applies to every React application on the internet. Consider what a third-party script can extract by walking the fiber tree:
User state. If your app stores user data in component state — email addresses, authentication tokens, form inputs, preferences — any script on the page can read it. React Server Components and Next.js server actions don't help here; the client-side state tree is still fully exposed for any component that hydrates.
Application structure. The fiber tree reveals your component hierarchy, which effectively maps your application's architecture. Component names (unless minified), prop structures, and state shapes are all visible. For competitive intelligence or vulnerability discovery, this is a goldmine.
Hook internals. Every `useState`, `useEffect`, `useRef`, and `useMemo` call creates entries in the fiber's hook linked list. A script can enumerate your hooks, read their current values, and even infer your application's behavior patterns from the effect dependency arrays.
This isn't theoretical. Browser extensions have been reading fiber trees for years — React DevTools is literally built on this capability. The difference is that React DevTools runs with the user's explicit permission. Third-party scripts injected via tag managers, CDN providers, or ad networks do not.
Content Security Policy, the standard defense against unwanted script behavior, doesn't help here. CSP controls which scripts can *execute* on your page and where they can *send data*. It cannot restrict what an allowed script does once it's running. If your CSP permits Cloudflare's challenge script (which it must, if you're using Cloudflare for DDoS protection), that script has full access to the DOM and everything attached to it — including React fiber internals.
The fundamental issue is that the web security model grants every permitted script equal access to the entire page context. There's no isolation boundary between "scripts I trust with my application state" and "scripts I trust to load fonts." The `