Cloudflare outage on December 5, 2025
Author: Dane Knecht
Summary
A significant traffic outage impacted Cloudflare’s network on December 5, 2025, starting at approximately 08:47 UTC and lasting about 25 minutes. The incident affected roughly 28% of Cloudflare’s HTTP traffic. The company emphasized that “The issue was not caused, directly or indirectly, by a cyber attack” but rather resulted from configuration changes made while attempting to address a React Server Components vulnerability.
What Happened
The root cause involved changes to the Web Application Firewall (WAF) buffer size. Cloudflare increased the HTTP request body buffer from 128KB to 1MB to better protect customers using React against CVE-2025-55182. When an internal WAF testing tool proved incompatible with the larger buffer, engineers disabled it using the global configuration system.
Unfortunately, this second change triggered a bug in the FL1 proxy version. The system attempted to process a Lua code instruction that referenced a nil value: “attempt to index field ‘execute’ (a nil value)”. This resulted in HTTP 500 errors being served across the network.
Impact
Customers were affected only if they met both conditions:
- Their traffic was served by the older FL1 proxy
- They had the Cloudflare Managed Ruleset deployed
All requests from affected websites returned HTTP 500 errors, with limited exceptions for test endpoints. China network traffic remained unaffected.
Technical Details
The error occurred within Cloudflare’s rulesets system, which evaluates rules for incoming requests. The “execute” action triggers evaluation of sub-rulesets. When engineers applied a killswitch to disable test rules, the code correctly skipped the execute action but failed when trying to process results — the rule_result.execute object no longer existed, causing Lua to error.
This code flaw had existed undetected for years but would have been prevented by a strongly-typed language. Cloudflare’s replacement FL2 proxy, written in Rust, did not experience this issue.
Resolution and Prevention
The configuration change was reverted at 09:11 UTC, and full restoration occurred by 09:12 UTC. Cloudflare acknowledged this was the second major incident in two weeks following a November 18 outage caused by similar circumstances — security-motivated changes propagating network-wide without sufficient safeguards.
The company committed to implementing three key improvements:
- Enhanced Rollouts & Versioning – Configuration changes will receive gradual deployment with health validation, similar to software updates
- Streamlined Break Glass Capabilities – Ensuring critical operations function despite failures
- “Fail-Open” Error Handling – Systems will default to known-good states rather than dropping requests when encountering corrupt or invalid configurations
Cloudflare stated these changes would have helped mitigate this incident but acknowledged they remain incomplete. The company announced a comprehensive plan would be published within a week.
Timeline
| Time (UTC) | Status | Description |
|---|---|---|
| 08:47 | INCIDENT start | Configuration change deployed and propagated to network |
| 08:48 | Full impact | Change fully propagated |
| 08:50 | INCIDENT declared | Automated alerts triggered |
| 09:11 | Change reverted | Configuration change reverted and propagation started |
| 09:12 | INCIDENT end | Revert fully propagated, all traffic restored |
Note: A post-publication clarification was added to explain the relationship between the internal WAF tool and the incident on December 5.