Cloudflare experienced a major outage on December 5 when a configuration change triggered failures across part of its global network, impacting roughly 28% of all HTTP traffic. The incident began at 08:47 UTC and ran for about 25 minutes, causing HTTP 500 errors for customers whose traffic passed through Cloudflare’s older FL1 proxy with the Managed Ruleset enabled. Cloudflare confirmed that the disruption did not stem from a cyberattack but from an internal change related to mitigating a new React Server Components vulnerability (CVE-2025-55182).
The outage occurred after Cloudflare initiated a rollout to expand its Web Application Firewall (WAF) body-parsing buffer from 128KB to 1MB to protect more React users. When engineers disabled an internal test ruleset using a global configuration system—one that pushes changes across the entire fleet within seconds—the FL1 proxy entered an error state. A long-standing bug in the Lua-based rules module caused the proxy to attempt to evaluate a non-existent “execute” action, resulting in exceptions and widespread 500 responses.
Cloudflare isolated the issue quickly and reverted the configuration at 09:12 UTC. The company acknowledged the incident’s proximity to a similar November 18 outage and noted that its network-wide change controls remain under revision. Cloudflare said it is accelerating several resilience initiatives, including stronger rollout gating, improved break-glass procedures, and replacing fail-closed logic in critical data-plane components.
• Outage window: 08:47–09:12 UTC on December 5 (≈25 minutes)
• Impacted traffic: ~28% of global Cloudflare HTTP volume
• Affected users: Customers using the FL1 proxy and Cloudflare Managed Ruleset
• Root cause: Global kill-switch change that triggered a long-standing Lua error in the “execute” ruleset path
• Error condition: Nil-value lookup inside rulesets callback on FL1; unaffected on FL2 (Rust)
• Security context: Change linked to mitigation of CVE-2025-55182 in React Server Components
• China network: Not affected
• Remediation: Full revert; ongoing work on rollout controls and fail-open handling
• Upcoming actions: Detailed resiliency program update expected next week
“We know these clustered incidents are not acceptable for a network like ours, and we apologize for the impact to our customers and to the Internet as a whole,” Cloudflare wrote.
🌐 Analysis
This outage underscores systemic tension between rapid security response and fleet-wide configuration safety, especially as providers race to mitigate newly disclosed framework vulnerabilities such as CVE-2025-55182. Cloudflare’s recognition that data-plane configuration paths require the same health-check rigor as software rollouts aligns with broader industry trends, as Akamai, Fastly, and hyperscalers also shift toward safer, versioned config delivery and fail-open defaults across edge environments.
