CloudflareCloudflare outage on December 5, 2025
Read Full ArticleSummary
On December 5, 2025, Cloudflare experienced a significant outage affecting a portion of its network due to a configuration change related to its Web Application Firewall (WAF). The incident, which lasted approximately 25 minutes, was triggered by an attempt to increase the buffer size in response to a critical vulnerability in React Server Components. The change inadvertently led to HTTP 500 errors due to a bug in the rules module of the FL1 proxy. The article outlines the sequence of events, the technical failures involved, and the planned improvements to prevent future incidents, including enhanced rollouts and fail-open error handling strategies.
Key Learnings
- 1Configuration changes in critical systems must be carefully managed to avoid widespread outages.
- 2The importance of gradual rollouts and health validation in deployment processes to mitigate risks.
- 3Understanding the implications of using 'execute' actions in rulesets and the potential for runtime errors in loosely typed languages.
- 4The necessity of robust error handling mechanisms, such as fail-open strategies, to maintain service availability during failures.
- 5The role of internal testing tools and their compatibility with production configurations in preventing incidents.
Who Should Read This
Senior Cloud Engineers managing high-availability web services and incident response strategies.
Test Your Knowledge
What are the potential risks associated with increasing buffer sizes in WAF configurations?
How can gradual deployment strategies mitigate the impact of configuration changes in large-scale systems?
What lessons can be learned from the Lua exception encountered during the outage, and how could strong typing have prevented it?
In what ways can fail-open error handling improve service resilience during configuration failures?
What specific changes are being implemented to enhance the robustness of Cloudflare's network following the incident?
Topics
More articles about AWS
Explore AWS engineering →Complexity is a choice. SASE migrations shouldn’t take years.
The article emphasizes the shift in the cybersecurity landscape regarding SASE migrations, arguing that complexity is a choice rather than an inevitability. It showcases how Cloudflare's SASE...
AWS Weekly Roundup: Amazon Connect Health, Bedrock AgentCore Policy, GameDay Europe, and more (March 9, 2026)
The article provides a comprehensive overview of recent updates and launches from AWS, highlighting innovations such as Amazon Connect Health, which offers AI-driven solutions for healthcare, and the...
Native .NET Buildpack Support is Now Available on App Platform
DigitalOcean has announced native .NET buildpack support on its App Platform, enabling developers to deploy .NET applications directly from a Git repository without the need for Dockerfiles. The...
Introducing OpenClaw on Amazon Lightsail to run your autonomous private AI agents
The article introduces OpenClaw, an autonomous private AI agent, now available on Amazon Lightsail. It details the process of launching an OpenClaw instance, which is pre-configured with Amazon...
See risk, fix risk: introducing Remediation in Cloudflare CASB
The article introduces a significant enhancement to Cloudflare's Cloud Access Security Broker (CASB) by launching a Remediation feature that allows users to directly fix risky file-sharing...
More from Cloudflare Engineering
View Cloudflare engineering blogs →Complexity is a choice. SASE migrations shouldn’t take years.
The article emphasizes the shift in the cybersecurity landscape regarding SASE migrations, arguing that complexity is a choice rather than an inevitability. It showcases how Cloudflare's SASE...
Active defense: introducing a stateful vulnerability scanner for APIs
The article introduces Cloudflare's new stateful vulnerability scanner designed specifically for APIs, addressing the limitations of traditional defensive security measures. It highlights the...
Fixing request smuggling vulnerabilities in Pingora OSS deployments
The article addresses critical HTTP/1.x request smuggling vulnerabilities identified in the Pingora open source framework, particularly when deployed as an ingress proxy. It outlines the nature of...
From the endpoint to the prompt: a unified data security vision in Cloudflare One
The article outlines Cloudflare One's evolution in data security, emphasizing a unified approach that encompasses protection in transit, visibility and control at rest, and enforcement in use. It...
A QUICker SASE client: re-building Proxy Mode
The article outlines the challenges faced by security teams when implementing proxy modes in SASE environments, particularly the performance issues associated with traditional TCP implementations. It...