Cloudflare outage on December 5, 2025

Cloudflare outage on December 5, 2025

Author: Dane Knecht

Summary

A significant traffic outage impacted Cloudflare’s network on December 5, 2025, starting at approximately 08:47 UTC and lasting about 25 minutes. The incident affected roughly 28% of Cloudflare’s HTTP traffic. The company emphasized that “The issue was not caused, directly or indirectly, by a cyber attack” but rather resulted from configuration changes made while attempting to address a React Server Components vulnerability.

What Happened

The root cause involved changes to the Web Application Firewall (WAF) buffer size. Cloudflare increased the HTTP request body buffer from 128KB to 1MB to better protect customers using React against CVE-2025-55182. When an internal WAF testing tool proved incompatible with the larger buffer, engineers disabled it using the global configuration system.

Unfortunately, this second change triggered a bug in the FL1 proxy version. The system attempted to process a Lua code instruction that referenced a nil value: “attempt to index field ‘execute’ (a nil value)”. This resulted in HTTP 500 errors being served across the network.

Impact

Customers were affected only if they met both conditions:

  • Their traffic was served by the older FL1 proxy
  • They had the Cloudflare Managed Ruleset deployed

All requests from affected websites returned HTTP 500 errors, with limited exceptions for test endpoints. China network traffic remained unaffected.

Technical Details

The error occurred within Cloudflare’s rulesets system, which evaluates rules for incoming requests. The “execute” action triggers evaluation of sub-rulesets. When engineers applied a killswitch to disable test rules, the code correctly skipped the execute action but failed when trying to process results — the rule_result.execute object no longer existed, causing Lua to error.

This code flaw had existed undetected for years but would have been prevented by a strongly-typed language. Cloudflare’s replacement FL2 proxy, written in Rust, did not experience this issue.

Resolution and Prevention

The configuration change was reverted at 09:11 UTC, and full restoration occurred by 09:12 UTC. Cloudflare acknowledged this was the second major incident in two weeks following a November 18 outage caused by similar circumstances — security-motivated changes propagating network-wide without sufficient safeguards.

The company committed to implementing three key improvements:

  1. Enhanced Rollouts & Versioning – Configuration changes will receive gradual deployment with health validation, similar to software updates
  2. Streamlined Break Glass Capabilities – Ensuring critical operations function despite failures
  3. “Fail-Open” Error Handling – Systems will default to known-good states rather than dropping requests when encountering corrupt or invalid configurations

Cloudflare stated these changes would have helped mitigate this incident but acknowledged they remain incomplete. The company announced a comprehensive plan would be published within a week.

Timeline

Time (UTC)StatusDescription
08:47INCIDENT startConfiguration change deployed and propagated to network
08:48Full impactChange fully propagated
08:50INCIDENT declaredAutomated alerts triggered
09:11Change revertedConfiguration change reverted and propagation started
09:12INCIDENT endRevert fully propagated, all traffic restored

Note: A post-publication clarification was added to explain the relationship between the internal WAF tool and the incident on December 5.