Articles

This article outlines Cloudflare's approach to implementing a 'shift-left' methodology for managing its own critical infrastructure at an enterprise scale. Facing the challenge of securing hundreds of internal accounts consistently and minimizing human error, Cloudflare transitioned from manual configuration to Infrastructure as Code (IaC). The core strategy involves treating configurations as code, integrating security checks early in the development lifecycle via CI/CD, and enforcing policy as code. Key technologies include Terraform for infrastructure provisioning, Atlantis for CI/CD, a custom `tfstate-butler` for secure state management, and Open Policy Agent (OPA) with Rego for policy enforcement. The article also addresses challenges encountered, such as importing legacy click-ops configurations, managing configuration drift, and keeping the Terraform provider up-to-date, sharing lessons learned around minimizing adoption barriers, automating drift detection, and leveraging OpenAPI for provider generation. The overarching message emphasizes a proactive approach to security and configuration management, enabling secure scaling and increased engineering velocity.

This article is a comprehensive post-mortem report from Cloudflare regarding a 25-minute service outage on December 5, 2025. The incident, which impacted approximately 28% of Cloudflare's HTTP traffic, was not a cyberattack but rather an unintended consequence of internal configuration changes. Cloudflare was attempting to increase WAF buffer size to 1MB to protect customers against a critical React Server Components vulnerability (CVE-2025-55182). During this rollout, an internal WAF testing tool was disabled via a global configuration system. This disabling, specifically when a killswitch was applied to a rule with an 'execute' action, exposed a previously undetected Lua runtime error (attempt to index field 'execute' (a nil value)) in the FL1 proxy version. This error resulted in HTTP 500 responses for customers using the FL1 proxy with Cloudflare Managed Rulesets. The issue was quickly identified and resolved by reverting the change. The article acknowledges a similar prior incident on November 18 and outlines ongoing resilience projects, including enhanced rollouts, streamlined break-glass capabilities, and 'fail-open' error handling, which were unfortunately not yet fully deployed.

This article details Cloudflare's rapid response to a critical Remote Code Execution (RCE) vulnerability (CVE-2025-55182, CVSS 10.0) affecting specific versions of React (19.0-19.2) and Next.js (15-16). The vulnerability stems from insecure deserialization of malicious requests in React Server Components. Cloudflare has deployed new Web Application Firewall (WAF) rules across its network, with a default 'Block' action, to automatically protect all customers whose React application traffic is proxied through Cloudflare, irrespective of their plan type. The article highlights that applications deployed on Cloudflare Workers are inherently immune to this exploit. While immediate WAF protection is in place, Cloudflare strongly advises customers to update their applications to the latest secure versions of React (19.2.1) and Next.js (16.0.7, 15.5.7, 15.4.8). It also provides specific WAF rule IDs and instructions for Professional, Business, and Enterprise plan customers to ensure Managed Rules are enabled. The rules were deployed on December 2, 2025, and no exploitation attempts have been observed since. Cloudflare's security team is committed to continuous monitoring and updating protections against potential attack variations.

Cloudflare has significantly updated its Python Workers platform, focusing on extensive package support and dramatically improved cold start times. Previously, Python Workers had limited built-in package support; now, they support any package compatible with Pyodide, including pure Python and many packages with dynamic libraries. This is facilitated by new `uv`-integrated tooling (`pywrangler`). A key technical achievement is the implementation of dedicated memory snapshots, which reduce cold start times to be 2.4x faster than AWS Lambda and 3x faster than Google Cloud Run for common package imports. The article explains the technical intricacies of these snapshots, addressing challenges like entropy management and WebAssembly state preservation. It also highlights the strategic deployment of sharding for Python Workers to reduce cold start frequency. These advancements aim to provide a seamless, high-performance serverless Python experience globally, making Cloudflare Workers a competitive option for Python developers.

This report from Cloudflare provides a comprehensive analysis of the DDoS threat landscape in Q3 2025, dominated by the newly identified Aisuru botnet. Aisuru, with an estimated 1-4 million infected hosts, launched hyper-volumetric attacks routinely exceeding 1 Tbps and 1 Bpps, peaking at 29.7 Tbps, causing widespread internet disruption. The report also notes a significant 347% month-over-month surge in DDoS attacks against AI companies in September 2025, correlating with increased public concern and regulatory scrutiny. Furthermore, escalating EU-China trade tensions led to a rise in attacks on the Mining, Minerals & Metals and Automotive industries. Geopolitical events also directly influenced attack activity in locations like the Maldives and France. Cloudflare's autonomous defenses mitigated 8.3 million DDoS attacks in the quarter, with network-layer attacks showing a substantial increase. The report concludes by emphasizing that the growing sophistication and scale of modern DDoS attacks render legacy mitigation solutions insufficient, subtly positioning Cloudflare's global network and autonomous systems as a superior defense.