Yesterday, for roughly 30 minutes, a significant chunk of the internet simply stopped working.
LinkedIn went dark. Zoom calls froze. Shopify stores returned 500 errors. Coinbase traders couldn’t log in. Even Downdetector — the site people use to check if something is down — was itself down.
The common denominator? Cloudflare.
At 8:47 UTC on December 5, 2025, Cloudflare pushed a configuration change to its global Web Application Firewall (WAF) designed to protect customers from a freshly disclosed, industry-wide remote-code-execution vulnerability in React Server Components (CVE-2025-55182, quickly nicknamed “React2Shell”). The fix required disabling certain logging behaviors that the vulnerability abused.
The change backfired spectacularly.
Instead of blocking attackers, the update caused internal routing and processing failures across dozens of data centers, instantly taking roughly 28% of Cloudflare’s HTTP traffic offline. The company’s own dashboard and API became unreachable, leaving engineers blind and customers furious. By 9:12 UTC — 25 minutes later — Cloudflare rolled back the change and declared the incident resolved.
It was not a cyberattack. It was not a third-party breach. It was, in the company’s own words, “a self-inflicted wound.”
The Second Major Outage in Three Weeks
This was not Cloudflare’s first rodeo in late 2025.
- November 18: A logic bug in Bot Management knocked out X (Twitter), OpenAI, Spotify, Discord, and League of Legends for over an hour.
- September 2025: Database replication issues caused regional outages.
- December 5: The React2Shell mitigation gone wrong.
Three global incidents in under four months. For a company that proudly claims “uptime is our religion,” the streak is raising eyebrows — and forcing hard conversations across the industry.
Why These Failures Matter More Than Ever
Cloudflare now sits in front of more than 20% of all websites — roughly 1 in 5 HTTP requests worldwide pass through its network. That scale turns even brief internal mistakes into internet-wide events.
When AWS hiccups, parts of the internet slow down. When Cloudflare hiccups, parts of the internet disappear.
Critics have long warned about this exact centralization risk. A single misconfigured firewall rule or bad regex can cascade into millions of users seeing error pages. Yesterday proved the critics right — again.
The Impossible Trade-off: Speed vs. Safety
The irony is bitter: Cloudflare was trying to protect its customers from a zero-day that could have allowed attackers to execute arbitrary code on millions of sites. The vulnerability was severe enough that multiple CDNs and hosting providers scrambled to deploy mitigations within hours of disclosure.
In cybersecurity, the mantra is “patch fast.” Cloudflare patched fastest — and paid the price.
As one engineer anonymously posted on Hacker News yesterday:
“We’re damned if we move slowly and damned if we move quickly. There is no reward for doing the right thing at the right speed.”
What Comes Next
Cloudflare has promised a detailed post-mortem within the week. Early indicators suggest the company will:
- Add stricter staged rollouts for WAF rule changes
- Improve “kill-switch” visibility when the dashboard itself is impaired
- Re-evaluate how quickly experimental logging features are rolled out to the entire fleet
In the longer term, many enterprises are quietly accelerating “multi-CDN” strategies — routing traffic through Cloudflare and at least one other provider (Fastly, Akamai, or AWS CloudFront) so that no single point of failure can take them offline.
Final Thought
The internet is no longer a collection of independent servers; it is a stack of critical infrastructure providers, each one a potential single point of global failure.
Yesterday’s outage wasn’t just about Cloudflare making a mistake. It was a reminder that, in 2025, one company’s configuration change — intended to make the web safer — can accidentally make half of it unreachable.
The fix for React2Shell has been re-deployed safely as of this morning. The internet is back.
But the conversation about resilience, redundancy, and the dangers of internet monoculture has only just begun.