Cloudflare experienced another significant service disruption on December 5, 2025, affecting over 25% traffic on its network. They confirmed the incident was not caused by a cyberattack, but the result from an internal configuration change made while rolling out protections for a newly disclosed React Server Components vulnerability.
The update altered how Cloudflare’s Web Application Firewall (WAF) handles request body parsing, increasing internal buffer limits to support additional security checks.
During the rollout, engineers disabled an internal WAF testing tool that did not support the new buffer size. Unlike gradual deployments, this change was pushed globally within seconds. On Cloudflare’s older FL1 proxy, the configuration triggered a bug in the rules engine, causing it to enter an error state and return HTTP 500 responses for affected customers.
Customers were impacted only if:
- Their traffic was served by Cloudflare’s FL1 proxy
- They had the Cloudflare Managed Ruleset enabled
All such requests failed with 500 errors, except thoe served by C;oudflare’s China network.
Cloudflare traced the failure to a long-standing code issue involving how the proxy handles skipped “execute” actions in its rulesets. The bug caused a missing object reference, leading to a Lua exception and subsequent service failures. Notably, the problem does not exist in Cloudflare’s newer FL2 proxy, which is written in Rust and uses stronger type safety.
This event, while shorter, follows the widespread Cloudflare outage on November 18, 2025, also triggered by a global configuration change. Cloudflare acknowledged that ongoing resilience and rollout improvements, already planned after that earlier incident, were not yet fully deployed.
They aim to prevent these types of cascading failures and outlined ongoing projects to improve safety and rollback capabilities across its network, including:
- Enhanced rollouts with strict validation and improved versioning
- Stronger “break glass” operational pathways during failures
- Replacement of hard-fail behavior with safer fail-open logic
- Additional drift prevention to ensure consistent error handling
Visit Cloudflare’s official blog post for more information and updates on resilience improvements.
Leave a Reply