Cloudflare’s network suffered a brief but widespread outage Friday, after an update to its Web Application Firewall to mitigate a vulnerability in React Server Components went wrong.
At 9:09 a.m. UTC, the company reported that it was investigating issues with the Cloudflare Dashboard and related APIs, warning that customers might see requests fail or errors displayed.
Just 10 minutes later, it had deployed a fix — but not before a flood of reports of problems with Cloudflare and its customers poured into uptime tracking sites such as Downdetector.com.
During the same window, Downdetector saw a spike in problem reports for enterprise services including Shopify, Zoom, Claude AI, and Amazon Web Services, and a host of consumer services from games to dating apps.
Cloudflare explained the outage on its service status page: “A change made to how Cloudflare’s Web Application Firewall parses requests caused Cloudflare’s network to be unavailable for several minutes this morning. This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React Server Components.”
That vulnerability, tracked as CVE-2025-55182, enables attackers to remotely execute code on web servers running the React 19 library. Cloudflare was no doubt attempting to protect those of its customers who have not yet had an opportunity to patch the vulnerability in the two days since it was revealed.
The wobble in Cloudflare’s services comes just two weeks after a much bigger one rendering its customers’ websites inaccessible or unreliable for hours on Nov. 18. That was caused by one Cloudflare application generating a configuration file that was too big for another application to parse, bringing systems to a halt.
This outsized impact of that small failure on websites around the world was reminiscent of a bug that hit AWS services the previous month. A coding error in its DNS systems led to a DynamoDB endpoint becoming inaccessible. That wouldn’t have been so bad, but many other services used by AWS internally and by its customers relied on it, so they too were affected.
There are some advantages in relying on single service providers such as Cloudflare or AWS for these tasks — including economies of scale and service consistency. But it also makes them single points of failure: when they go down, everything goes down with them. In such a monoculture, the alternatives that might be able to take up the slack have already been weeded out.
This article first appeared on Network World.
No Responses