Cloudflare hit by second outage in weeks, denies cyberattack

Cloudflare said an internal change made while responding to a newly disclosed React security flaw caused its own network to be unavailable for several minutes on Friday, but stressed the incident was not the result of an attack.

Cloudflare, a US-based web infrastructure and security company that operates a global content delivery network (CDN) and Domain Name System (DNS) service, runs one of the world’s largest networks, helping websites and apps load faster and stay online by protecting them from traffic surges and cyberattacks.

In a post on X (formerly Twitter), Cloudflare Chief Technical Officer (CTO) Dane Knecht said the company was “aware of the issue impacting the availability of Cloudflare’s network.”

He added: “It was not an attack; root cause was disabling some logging to help mitigate this week’s React CVE (Common Vulnerabilities and Exposures),” referring to a vulnerability in React’s server-side components.

Knecht said Cloudflare would “share full details in a blog post today”, adding that “sites should be back online now,” while acknowledging “the frustration this causes and the work being” done by customers. The post was published at 2:20pm on Friday, December 5, 2025.

An incident report on Cloudflare’s status page later marked the issue as resolved. “A change made to how Cloudflare’s WAF [Web Application Firewall] parses requests caused Cloudflare’s network to be unavailable for several minutes this morning,” the report said. 

“This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React Server Components. We will share more information as we have it today.”

According to the status page, Cloudflare first reported problems at 08:56 UTC, saying it was “investigating issues with Cloudflare Dashboard and related APIs [Application Programming Interface]” and warning that “customers using the Dashboard / Cloudflare APIs are impacted as requests might fail and/or errors may be displayed.” 

At 09:09 UTC, the company said it was “continuing to investigate this issue.” By 09:12 UTC, it posted a “Monitoring” update stating that “a fix has been implemented and we are monitoring the results.” A further update at 09:19 UTC said Cloudflare was “continuing to monitor the results,” and at 09:20 UTC the incident was declared resolved.

The disruption comes a few weeks after a separate outage in November, when an automatically generated configuration file grew too large and crashed the software handling traffic for several Cloudflare services. 

That incident, which began around 6:30am Eastern Time (ET), briefly prevented thousands of users from accessing major platforms including X, ChatGPT, Canva and Grindr. Cloudflare said then there was “no evidence that this was the result of an attack or caused by malicious activity” and that it had deployed a fix while working to restore service globally.

Cloudflare says it is monitoring the results of Friday’s fix and has promised a fuller technical explanation in a blog post.