Cloudflare says firewall update, not attack, caused Dec. 5 outage

Cloudflare said a 25-minute configuration change to its web application firewall caused a widespread outage on December 5, 2025 — not a cyberattack.

In an incident report, the company said part of its network began failing at 3:47 a.m. EST and all services were restored by 4:12 a.m. EST with about 28% of HTTP traffic served by Cloudflare affected.

Cloudflare said the disruption occurred when engineers were rolling out protections for a critical, unauthenticated remote-code-execution bug in React Server Components that was disclosed earlier in the week as CVE-2025-55182 and rated CVSS 10.0 by the React team.

The company had just rolled out new Web Application Firewall (WAF) rules to block exploitation of the React flaw, and then changed an internal WAF testing tool. That second change hit a long-standing bug in its FL1 proxy, causing HTTP 500 errors until the change was rolled back.

Cloudflare stressed that China network traffic was not affected and that only customers on its older FL1 proxy with the Managed Ruleset enabled saw errors.

Customers saw that as downtime at major sites rather than as a WAF issue. Coinbase’s status page reported users unable to access the exchange “due to [a] Cloudflare outage” until 4:38 a.m. EST. Anthropic’s status page logged “Claude.ai is unavailable” and a subsequent resolution the same morning.

The incident follows a longer availability event on November 18 that Cloudflare also traced to a security-driven configuration rollout. The company said it is freezing network changes while it upgrades its rollout, “fail-open” handling and kill-switch controls.