The IT service provider, which claims to support 20pc of the web, blamed its latest disruption on a change it made to its Web Application Firewall.
Cloudflare experienced the second major outage in the space of a month today (5 December), this time related to its dashboard and related application programming interfaces (APIs).
Just before 9am this morning, reports started flooding into disruptions reporting platform DownDetector’s page for Cloudflare, as people reported seeing empty pages and a “500 Internal Server Error” message when visiting the websites of some of the IT service provider’s customers.
As websites across the internet went down, Cloudflare shares fell as much as 4.5pc in premarket trading.
Sites and platforms such as Zoom, LinkedIn, Shopify, Canva, Substack, Coinbase and even DownDetector were reportedly affected by the disruption, which Cloudflare said was resolved at approximately 9.20am.
In an update on its status page, Cloudflare said that a change made to how its Web Application Firewall parses requests caused the disruption, clarifying that the issue was not the result of a cyberattack.
According to Cloudflare, the change was deployed to help mitigate an “industry-wide vulnerability” in React Server Components.
Earlier this week, open-source JavaScript library React disclosed the presence of a security vulnerability in its software library that allowed unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
This latest disruption doesn’t come long after a similar, albeit longer, global outage hit Cloudflare last month.
According to Cloudflare’s co-founder and CEO Matthew Prince, the November outage was triggered by a change to one of the company’s database systems’ permissions, which caused the database to output multiple entries into a “feature file” used by Cloudflare’s bot management system.
At the time of last month’s disruption, security professionals from numerous companies spoke about these sorts of incidents highlight the impact of ‘concentration risk’ that comes with heavy dependence on a select number of online infrastructure providers – Cloudflare itself claims that its technology is used to support 20pc of the web.
Today’s incident is no different.
Richard Ford, CTO at cybersecurity company Integrity360 told SiliconRepublic.com that the latest outage underscores something that many in cybersecurity and tech have “long warned about”.
“As the internet has grown more complex, a handful of infrastructure providers end up holding unexpectedly large power over its functioning,” he said. “Cloudflare sits at the heart of that, providing CDN, proxying, routing, DNS and caching so that websites can stay fast, secure and resilient under load.
“When a provider like this fails, whether due to internal error, configuration change or external attack, the ripple effects hit far more than just a few sites. What feels like one outage to a user is actually a systemic failure affecting traffic flows across many unrelated organisations.”
Ford stated that today should be a wake-up call for businesses.
“Relying entirely on a single provider for critical infrastructure is a fragile strategy. Companies should be thinking now about redundancies – multi‑CDN configurations, fallback hosting or hybrid cloud set-ups – so one failure doesn’t take everything down.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
