Logo
Cloudflare’s 2025 Outages Expose Fragility in Internet Infrastructure

Cloudflare’s 2025 Outages Expose Fragility in Internet Infrastructure

Back-to-back global disruptions tied to configuration errors and emergency React2Shell mitigations raise questions about how the web’s backbone is run

Overview

In late 2025, Cloudflare, one of the internet’s core infrastructure providers, suffered two major global outages within three weeks. A three-hour disruption on November 18, followed by a roughly 25–30 minute outage on December 5 that knocked out an estimated quarter of all HTTP traffic on its network, temporarily took down services ranging from LinkedIn, Zoom, Shopify and Coinbase to gaming and AI platforms that rely on Cloudflare’s edge network, content delivery, and security services.

Both incidents trace back to Cloudflare’s own configuration changes—first in its proxy layer, then in its Web Application Firewall as it rushed to deploy protections for the critical React2Shell (CVE-2025-55182) vulnerability. The combination of rapid, global updates and deep centralization of web infrastructure has turned these missteps into systemic events, prompting scrutiny from customers, investors, and policymakers over how safely emergency security fixes can be rolled out across the modern internet.

8 Sources:
+2
Reuters Associated Press Computer Weekly Network World Cybernews The Guardian Cloudflare Blog Wikipedia

Key Indicators

≈28%
Share of Cloudflare HTTP traffic disrupted on Dec. 5, 2025
Cloudflare and independent reporting estimate that roughly 25–30% of HTTP traffic on its network failed during the WAF misconfiguration incident, impacting millions of users worldwide.
25–30 minutes
Duration of Dec. 5 global outage
Between roughly 08:47 and 09:12–09:15 UTC, Cloudflare’s network returned large numbers of HTTP 500 errors before engineers rolled back the faulty change and restored services.
2
Major global Cloudflare outages in 17 days
A multi-hour outage on November 18, 2025, was followed by the Dec. 5 incident, undercutting Cloudflare’s reliability claims and drawing attention to its change-management practices.
81M/s
Cloudflare’s global HTTP request volume
Cloudflare handles on the order of 81 million HTTP requests per second, meaning configuration errors at its edge can affect a significant fraction of all web traffic.
≈4.5%
Intraday share price drop after Dec. 5 outage
Cloudflare’s stock reportedly fell as much as about 4.5% in pre-market trading following news of the second outage in under three weeks.

People Involved

Matthew Prince
Matthew Prince
Co-founder and CEO, Cloudflare (Publicly accountable for repeated outages and reliability reforms)
Dane Knecht
Dane Knecht
Senior Cloudflare executive (described in some coverage as CTO) (Technical leader publicly communicating about the Dec. 5 outage)

Organizations Involved

Cloudflare, Inc.
Cloudflare, Inc.
Corporation
Status: Core infrastructure provider experiencing repeated outages

Cloudflare is a U.S.-based web infrastructure and website security company that provides content delivery, DDoS protection, DNS, and Web Application Firewall services for millions of websites.

React & React Server Components Ecosystem
React & React Server Components Ecosystem
Open-source software ecosystem
Status: Origin of critical React2Shell vulnerability prompting emergency mitigations

React is a widely used JavaScript library for building web user interfaces. Its Server Components and related frameworks like Next.js underpin a large share of modern web applications.

Major Platforms Dependent on Cloudflare
Major Platforms Dependent on Cloudflare
Customer group
Status: Intermittently disrupted by Cloudflare outages

A wide range of large web platforms—including videoconferencing, social networking, e-commerce, cryptocurrency, gaming, and AI services—rely on Cloudflare’s CDN and security products and were affected by the 2025 outages.

Timeline

  1. Post-incident analyses highlight systemic risk from centralized infrastructure

    Analysis

    Media and security analysts compare Cloudflare’s twin outages to recent disruptions tied to AWS and the 2024 CrowdStrike configuration disaster, arguing that the concentration of traffic and security controls in a small number of providers has created "too big to fail" single points of failure for the global internet. Cloudflare faces renewed scrutiny from customers and investors over whether its internal safeguards and testing practices are adequate for a system of its scale.

  2. Cloudflare issues status update and confirms no cyberattack

    Public Statement

    Cloudflare’s status page and social media channels confirm that the incident has been resolved and state that a WAF configuration change—deployed to mitigate an industry-wide React Server Components vulnerability—made its network unavailable for several minutes. The company stresses that the outage was not caused by a cyberattack and promises a detailed blog post and a review of its global configuration systems.

  3. Cloudflare outage triggered by WAF body-parsing change

    Outage

    While rolling out changes to how its Web Application Firewall parses HTTP request bodies—intended to better detect React2Shell exploit payloads—Cloudflare introduces a configuration that breaks request processing on older FL1 proxies using its Managed Ruleset. The misconfiguration causes a flood of HTTP 500 errors and briefly knocks out around 25–30% of HTTP traffic on its network, affecting platforms such as Zoom, LinkedIn, Shopify, Coinbase, Claude AI, Fortnite, and others. Engineers quickly identify the issue and roll back the change, restoring service within about 25 minutes.

  4. Security community reports active exploitation of React2Shell

    Security Incident

    Within a day of public disclosure, security researchers and cloud providers report that Chinese state-linked threat groups are actively exploiting React2Shell in the wild. Proof-of-concept exploits circulate publicly, pushing vendors and infrastructure providers, including Cloudflare, to accelerate deployment of mitigations.

  5. Emergency WAF rule released for React2Shell vulnerability

    Security Mitigation

    Cloudflare publishes an emergency Web Application Firewall rule update tied to CVE-2025-55182, a critical remote code execution vulnerability in React Server Components known as React2Shell. The rules are designed to block unsafe deserialization patterns linked to the exploit.

  6. Cloudflare issues detailed postmortem and promises reforms

    Public Statement

    In a technical blog post, Cloudflare explains that the November 18 outage was caused by a bug in new proxy code that resulted in unhandled errors and 5xx responses. The company apologizes, acknowledging that it "failed" its customers and the broader internet, and pledges to improve testing, staged rollouts, and safeguards around its configuration systems.

  7. First major 2025 Cloudflare outage disrupts large swath of the web

    Outage

    Cloudflare suffers a widespread outage attributed to a configuration error and unhandled panic in its FL2 Rust-based proxy. The incident lasts several hours and impacts major platforms including X, Spotify, ChatGPT, and popular online games. Cloudflare’s dashboard, login systems, and some internal services are also affected.

Scenarios

1

Cloudflare successfully hardens its change-management and regains trust

Discussed by: Technical press, infrastructure engineers, some investors

In this scenario, Cloudflare treats the November and December outages as existential warning shots and undertakes a comprehensive overhaul of its change-management processes. It expands canary and staged rollouts for all configuration systems, introduces stronger isolation between components on edge servers, and reviews any mechanism (like global configuration killswitches) that can propagate changes fleetwide in seconds. Transparency via detailed postmortems and independent audits reassures large customers, who may still implement multi-CDN strategies but continue to rely heavily on Cloudflare. Outage frequency declines and the events are remembered as catalysts for a more mature operational culture.

2

Large customers diversify away, pressuring Cloudflare’s growth and margins

Discussed by: Enterprise IT leaders, risk consultants, some market analysts

Frustrated by repeated outages and mindful of parallels like the 2024 CrowdStrike update debacle, major enterprises take aggressive steps to reduce single-provider dependence. They adopt multi-CDN architectures, terminate some Cloudflare services in favor of competitors, and build internal fallbacks for DNS and security functions. While Cloudflare remains a major player, its growth slows, sales cycles lengthen due to heightened due diligence on reliability, and margins come under pressure as it must invest more in resilience and offer contractual assurances (such as stricter SLAs or financial guarantees) to retain key accounts.

3

Regulators treat CDNs and security clouds as critical infrastructure

Discussed by: Policy commentators, cybersecurity regulators, some economists

Drawing on the cumulative impact of Cloudflare outages, AWS disruptions, and the global CrowdStrike configuration failure, governments move toward classifying large CDNs and security clouds as critical infrastructure subject to tighter oversight. New rules could require independent reliability audits, mandatory staged rollouts for high-risk changes, incident reporting obligations, and contingency planning to ensure continuity of essential services. Cloudflare faces additional compliance costs but benefits from clearer industry-wide standards that may lock in incumbents and raise barriers to entry.

4

A future emergency patch causes both an outage and a major breach

Discussed by: Security researchers and worst-case risk modelers

A more severe but less likely outcome is that a future critical vulnerability forces another emergency response. In the rush to deploy mitigations, a provider either triggers another large-scale outage or, worse, deploys a flawed rule set that attackers evade, leading to a major breach while stability is also compromised. Such a dual failure could trigger lawsuits, regulatory sanctions, and a rapid loss of market share for the provider involved, and might accelerate a wider industry shift toward fundamentally different architectures for patching and isolation.

5

Industry-wide shift toward safer emergency update patterns

Discussed by: Cloud vendors, security product teams, DevOps/SRE communities

React2Shell, the Cloudflare outages, and the 2024 CrowdStrike incident collectively push the industry to rethink how emergency security updates and configuration changes are tested and deployed. Providers adopt standardized patterns for pre-production fuzzing and chaos experiments, more granular feature flags, and mandatory "slow rollout" paths even under pressure. Open-source ecosystems like React coordinate more closely with infrastructure providers to model exploit traffic and mitigation side effects in advance. The result is fewer internet-scale disruptions when the next critical zero-day hits.

Historical Context

2024 CrowdStrike Configuration Update Outage

2024-07-19

What Happened

On July 19, 2024, cybersecurity firm CrowdStrike pushed a faulty configuration update to its Falcon sensor software for Windows systems. The update caused Windows machines to enter bootloops or crash with "blue screens of death," disrupting more than eight million computers worldwide and affecting airlines, banks, hospitals, broadcasters, and government agencies before a fix was deployed.

Outcome

Short term: Flights were grounded, services interrupted, and CrowdStrike’s stock price fell sharply. The company worked with customers to manually remediate affected systems, a process that took days for some organizations.

Long term: CrowdStrike faced lawsuits (including from Delta Air Lines) and regulatory scrutiny but retained much of its customer base. The incident became a case study in how a single misconfigured security update at a dominant provider can have global consequences.

Why It's Relevant

Like the 2025 Cloudflare outages, the CrowdStrike incident shows how flawed updates from centralized security infrastructure can ripple across critical services worldwide. Both cases highlight the need for stricter testing, staged deployment, and architectural safeguards around high-privilege security components.

Fastly CDN Outage of June 2021

2021-06-08

What Happened

In June 2021, a configuration issue at content delivery network Fastly triggered a major outage that briefly took down a wide array of high-profile websites, including government portals, news outlets like the BBC, and major e-commerce and streaming services. A single customer configuration change exposed a latent bug in Fastly’s CDN software, causing widespread 503 errors until the change was rolled back.

Outcome

Short term: Fastly restored service within about an hour and issued a public explanation and apology. Customers experienced temporarily inaccessible sites and lost transactions.

Long term: The outage underscored the extent to which CDNs had become critical infrastructure and drove more discussion about multi-CDN strategies and the risks of single points of failure.

Why It's Relevant

Fastly’s outage is an early, smaller-scale analogue to Cloudflare’s 2025 incidents: both involve edge networks where a configuration change propagates rapidly and unexpectedly breaks large portions of the web. It underlines how subtle bugs in shared infrastructure can have outsized impact.

Facebook Global Outage of October 2021

2021-10-04

What Happened

On October 4, 2021, Facebook and its services—including Instagram, WhatsApp, and Messenger—went offline globally for six to seven hours due to a misconfiguration in its backbone network that withdrew its BGP routes, effectively removing its DNS and services from the internet.

Outcome

Short term: Billions of users lost access to communication and social platforms; some businesses reliant on WhatsApp and Facebook tools were unable to operate normally during the outage.

Long term: Facebook revamped aspects of its network change procedures and incident response. The event became a prominent example of how a single configuration error at a large platform can have global social and economic effects.

Why It's Relevant

The Facebook outage illustrates the systemic risks of centralized control planes and global configuration updates—similar structural dynamics to Cloudflare’s outages, even though the technologies differ. It reinforces that operational discipline and safe-guarded rollout mechanisms are critical at internet scale.