When a Patch Backfires: Inside Cloudflare’s 25-Minute Global Meltdown

At 08:47 UTC on December 5, 2025, a routine security update sent shockwaves through the digital world. For 25 tense minutes, nearly a third of global HTTP traffic managed by Cloudflare - an essential shield for millions of websites - was disrupted. The Internet’s pulse stuttered, not because of a cyberattack, but due to a patch meant to protect it.

The Anatomy of an Unintended Outage

The outage began as Cloudflare rolled out a fix for a newly disclosed vulnerability in React Server, known as CVE-2025-55182. The fix involved expanding the internal memory buffer of its Web Application Firewall (WAF) from 128 KB to 1 MB - a step aligned with Next.js framework standards. This change was deployed gradually, but an internal WAF test tool failed to keep up. Deeming the tool unnecessary for live traffic, engineers swiftly disabled it with a secondary configuration change. That’s when things spiraled.

The second change propagated across Cloudflare’s global network almost instantly - far faster than the initial, cautious rollout. A subtle, latent bug in a specific version of Cloudflare’s FL1 proxy, written in Lua, was triggered. The bug lurked in the handling of WAF rules with the “execute” action: when the test ruleset was disabled, the absence of an expected object caused a Lua error. The result? HTTP 500 errors for all affected requests - effectively a complete blackout for those relying on the FL1 proxy with Cloudflare’s Managed Ruleset.

Importantly, not all customers were hit. The outage was limited to those with a particular configuration: using the FL1 proxy and the managed ruleset. Sites hosted on Cloudflare’s Chinese network or using other configurations remained unaffected. The newer FL2 proxy, written in Rust, avoided the pitfall thanks to stricter type management.

Cloudflare’s response was swift. Internal alerts fired within minutes. By 09:11 UTC, the problematic configuration was rolled back, and traffic was restored by 09:12. Yet, the incident echoed a similar mishap just weeks earlier, on November 18, prompting renewed urgency for safer configuration management. In its aftermath, Cloudflare paused all network changes until new, more robust “break glass” and rollback systems are fully operational.

Conclusion: Lessons in Digital Fragility

This incident underscores a paradox of modern cybersecurity: sometimes, the very updates designed to protect us can expose hidden weaknesses. Cloudflare’s transparency and rapid response are commendable, but the outage is a stark reminder that complexity breeds risk - even in the Internet’s most trusted guardians. As the company races to reinforce its defenses, the world watches, reminded that the web’s resilience is only as strong as its next patch.

WIKICROOK: Glossary

Web Application Firewall (WAF)

A security system that filters and monitors HTTP traffic between a web application and the Internet to protect against attacks.

HTTP 500 Error

A generic server error indicating that something has gone wrong on the website’s server.

Proxy

A server that acts as an intermediary for requests from clients seeking resources from other servers.

Lua

A lightweight scripting language often used for embedded systems and network applications like proxies.

CVE (Common Vulnerabilities and Exposures)

A standardized identifier for publicly known cybersecurity vulnerabilities.