Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
On 5 December 2025, the global internet infrastructure firm Cloudflare suffered a widespread outage – the root cause: a configuration change intended to protect customers from a newly disclosed vulnerability.
On the morning of 5 December, Cloudflare’s network began to fail at 08:47 UTC, just as engineers rolled out changes to increase the buffer size used by its Web Application Firewall (WAF).
The buffer increase – from 128 kilobytes to a whole megabyte – was meant to address a critical vulnerability in React Server Components, CVE-2025-55182, also known as React2Shell.
However, during deployment, Cloudflare disabled an internal WAF testing tool. That second change, propagated globally without a gradual rollout, triggered a bug in the company’s legacy ‘FL1’ proxy. As a result, a whole lot of web requests returned HTTP 500 errors.
“Any outage of our systems is unacceptable, and we know we have let the internet down again following the incident on November 18,” Cloudflare said in a blog post on the same day.
At 09:12 UTC – 25 minutes after the outage began – the company reverted the configuration change and restored services.
The disruption wasn’t caused by a cyber attack or external threat, but by an internal configuration issue that cascaded through Cloudflare’s global infrastructure.
This outage marks the second major service failure for Cloudflare in just a few weeks – a reminder that even companies positioning themselves as the backbone of the internet remain vulnerable to internal mistakes. The firm pledged to accelerate improvements: future configuration changes will use more cautious rollouts with enhanced versioning, better “fail-open” safety measures, and stricter safeguards to prevent a single update from taking down large portions of the web.
The outage comes days after the company released its 2025 Q3 DDoS threat report, which showed an alarming year-on-year increase in malicious activity. Cloudflare blocked a staggering 36.2 million distributed denial-of-service (DDoS) attacks in 2025 (and that’s just in the first three-quarters of the year), a 40 per cent increase over 2024’s 21.3 million.
“In the third quarter of 2025, Cloudflare mitigated an average of 3,780 DDoS attacks every hour,” Cloudflare said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
