Articles

This article is a comprehensive post-mortem report from Cloudflare regarding a 25-minute service outage on December 5, 2025. The incident, which impacted approximately 28% of Cloudflare's HTTP traffic, was not a cyberattack but rather an unintended consequence of internal configuration changes. Cloudflare was attempting to increase WAF buffer size to 1MB to protect customers against a critical React Server Components vulnerability (CVE-2025-55182). During this rollout, an internal WAF testing tool was disabled via a global configuration system. This disabling, specifically when a killswitch was applied to a rule with an 'execute' action, exposed a previously undetected Lua runtime error (attempt to index field 'execute' (a nil value)) in the FL1 proxy version. This error resulted in HTTP 500 responses for customers using the FL1 proxy with Cloudflare Managed Rulesets. The issue was quickly identified and resolved by reverting the change. The article acknowledges a similar prior incident on November 18 and outlines ongoing resilience projects, including enhanced rollouts, streamlined break-glass capabilities, and 'fail-open' error handling, which were unfortunately not yet fully deployed.

This article details Cloudflare's rapid response to a critical Remote Code Execution (RCE) vulnerability (CVE-2025-55182, CVSS 10.0) affecting specific versions of React (19.0-19.2) and Next.js (15-16). The vulnerability stems from insecure deserialization of malicious requests in React Server Components. Cloudflare has deployed new Web Application Firewall (WAF) rules across its network, with a default 'Block' action, to automatically protect all customers whose React application traffic is proxied through Cloudflare, irrespective of their plan type. The article highlights that applications deployed on Cloudflare Workers are inherently immune to this exploit. While immediate WAF protection is in place, Cloudflare strongly advises customers to update their applications to the latest secure versions of React (19.2.1) and Next.js (16.0.7, 15.5.7, 15.4.8). It also provides specific WAF rule IDs and instructions for Professional, Business, and Enterprise plan customers to ensure Managed Rules are enabled. The rules were deployed on December 2, 2025, and no exploitation attempts have been observed since. Cloudflare's security team is committed to continuous monitoring and updating protections against potential attack variations.

The article announces the acquisition of Replicate by Cloudflare, detailing the strategic rationale behind this move. Replicate, founded in 2019, focused on democratizing machine learning by abstracting the complexities of running models, enabling developers to deploy research models as API endpoints using tools like Cog. Their platform gained significant traction, especially with the release of Stable Diffusion. The authors emphasize that modern AI applications now require a comprehensive stack beyond mere model inference, encompassing microservices, content delivery, object storage, and databases. This integration with Cloudflare's extensive network, Workers, R2, and Durable Objects will allow them to create a complete AI infrastructure layer. The combined entity aims to facilitate advanced AI solutions, such as running models at the edge, building fast model pipelines with Workers, and streaming model inputs/outputs, fulfilling the vision of 'the network is the computer' for AI.

This report from Cloudflare provides a comprehensive analysis of the DDoS threat landscape in Q3 2025, dominated by the newly identified Aisuru botnet. Aisuru, with an estimated 1-4 million infected hosts, launched hyper-volumetric attacks routinely exceeding 1 Tbps and 1 Bpps, peaking at 29.7 Tbps, causing widespread internet disruption. The report also notes a significant 347% month-over-month surge in DDoS attacks against AI companies in September 2025, correlating with increased public concern and regulatory scrutiny. Furthermore, escalating EU-China trade tensions led to a rise in attacks on the Mining, Minerals & Metals and Automotive industries. Geopolitical events also directly influenced attack activity in locations like the Maldives and France. Cloudflare's autonomous defenses mitigated 8.3 million DDoS attacks in the quarter, with network-layer attacks showing a substantial increase. The report concludes by emphasizing that the growing sophistication and scale of modern DDoS attacks render legacy mitigation solutions insufficient, subtly positioning Cloudflare's global network and autonomous systems as a superior defense.