At 6:30 a.m. Eastern Time on November 18, 2025, millions of websites went dark—not from a hacker, not from a power surge, but from a single misconfigured database permission. Cloudflare Inc., the San Francisco-based internet infrastructure giant headquartered at 101 Townsend Street, San Francisco, California, 94107, United States, suffered a cascading failure that crippled its global network for hours. The culprit? A routine update to a ClickHouse database cluster that accidentally doubled the size of a tiny but critical file used by its Bot Management system. What should’ve been a quiet maintenance window turned into one of the most disruptive internet outages of the year, affecting an estimated 25 million websites and applications that rely on Cloudflare’s DNS, CDN, and security services.
How a 60-Entry File Broke the Internet
Under normal conditions, Cloudflare’s Bot Management system uses a feature file containing about 60 entries to identify and filter malicious bot traffic. It’s a small, efficient data structure—like a digital fingerprint list for automated scripts. But during a permission upgrade on the ClickHouse database, a flawed query began duplicating entries. Instead of 60, the file ballooned to over 200. That might sound minor. Until you realize the FL2 proxy system, written in Rust, had a hardcoded limit of 128 entries. When the file exceeded that threshold, the system tried to allocate memory for 200+ entries… and crashed. Hard.The error didn’t show up as a warning. It didn’t log gracefully. It triggered an uncaught Rust exception, which threw an HTTP 5xx error—effectively shutting down the proxy for every request that hit it. Customers using the older FL proxy system? Fine. But FL2 handled the bulk of traffic. And because the corrupted file regenerated every five minutes, the outage wasn’t continuous—it came in waves. Services flickered on, then died again. Engineers were chasing ghosts.
The Diagnostic Nightmare
"It was like trying to fix a leak while the faucet keeps turning itself on and off," one engineer familiar with the incident told insiders. The intermittent nature made diagnosis nearly impossible. One moment, the system would appear healthy. The next, 10% of Cloudflare’s edge servers would go dark. The company’s status page? Unresponsive. Many website operators couldn’t even log in to switch to backup DNS providers because their domains were hosted on Cloudflare’s own infrastructure. You couldn’t escape the outage because you were already inside it.Meanwhile, Cloudflare’s global network—processing 20 million HTTP requests per second across 275+ cities in over 100 countries—was hemorrhaging traffic. E-commerce sites lost sales. News portals went silent. Even some government service portals in Europe and Asia experienced slowdowns. The ripple effect was immediate and widespread.
Not a Hack—Just a Human Error
Matthew John Prince, Cloudflare’s co-founder and CEO, was quick to clarify: "This was not caused directly or indirectly by a cyberattack or malicious activity." That distinction matters. Unlike the 2021 Akamai BGP leak that took down UK broadband providers, or the October 2025 Akamai hiccup, this wasn’t an external threat. It was internal. A permissions change. A query that ran on only part of the cluster. A threshold that hadn’t been updated in years.Technical analysts pointed to the use of Rust’s .unwrap() method—a common but dangerous shortcut that crashes the program if a value is missing. "Blaming Rust is like blaming Michelin when you crash your car in the rain," noted Hackaday’s lead systems analyst. "The language didn’t fail. The design did." The real issue? A lack of validation. No guardrails. No size check before propagation. Just trust that the file would stay small.
Why This Matters Beyond Cloudflare
This outage isn’t just a Cloudflare problem. It’s a warning shot across the bow of every company that relies on complex, distributed systems. We’ve built an internet where a single line of code in one data center can knock out global services. Cloudflare’s infrastructure is among the most resilient on the planet—and it still broke.Companies now face a brutal truth: automation without oversight is a ticking bomb. The more you abstract away human control, the more dangerous small errors become. Cloudflare’s system didn’t need more AI. It needed a simple check: "Is this file bigger than it should be?" That’s it.
What’s Next for Cloudflare
In its postmortem, published the same evening, Cloudflare committed to three fixes:- Implementing runtime validation on feature file sizes before distribution
- Adding real-time monitoring for unexpected file growth patterns
- Revising the FL2 proxy’s memory allocation logic to handle edge cases more gracefully
They also acknowledged a cultural blind spot: engineers assumed the file would never grow beyond 128 entries because it had never done so before. That’s classic "it’s always worked" thinking. The next outage might not be a database permission—it could be a JSON schema change, a misconfigured API key, or a cached value that never expired.
For now, Cloudflare’s network is stable. Services are back. But the trust? That’s still being rebuilt.
Frequently Asked Questions
How did the database permission change cause the file to double in size?
The permission update allowed a query on the ClickHouse database to access duplicate records it previously couldn’t see. This caused the Bot Management system’s feature file—which normally contained 60 unique entries—to include redundant data, inflating it to over 200 entries. The issue only triggered when the query ran on the updated portion of the cluster, creating a 5-minute cycle of good and bad file generation.
Why couldn’t customers switch to backup DNS providers during the outage?
Many customers used Cloudflare for both DNS hosting and web services. When Cloudflare’s portal went down, users couldn’t access their dashboards to reconfigure DNS records. Even if they knew how to switch providers, the DNS propagation delay (often 24–48 hours) made immediate action impossible. The outage trapped users inside their own dependency.
Was Rust to blame for the outage?
No. Rust’s .unwrap() method is a tool, not a flaw. The issue was that engineers used it without safeguards, assuming the input data would always be valid. The language didn’t fail—the design did. Similar crashes have happened in Python, Go, and Java systems. The real lesson is about defensive coding, not programming language choice.
How does this compare to past internet outages like Akamai’s in 2021?
The 2021 Akamai outage stemmed from a BGP route leak—a routing protocol error that misdirected traffic globally. Cloudflare’s issue was internal: a misconfigured database query. Akamai’s was a network-level failure; Cloudflare’s was a software logic failure. Both caused similar disruption, but the root causes are fundamentally different—one was a routing mistake, the other a code oversight.
Could this happen to other CDN providers like Fastly or Amazon CloudFront?
Absolutely. All major CDNs use similar proxy systems and dynamic configuration files. Fastly’s 2021 outage was caused by a syntax error in a customer’s VCL configuration. Amazon CloudFront has had intermittent issues from cache invalidation bugs. The pattern is clear: complexity without validation breeds fragility. No provider is immune.
What’s the long-term impact on Cloudflare’s reputation?
Cloudflare’s transparency in publishing the postmortem helped mitigate damage. But trust is earned in calm moments, not crisis. Enterprises that rely on Cloudflare for mission-critical services are now re-evaluating their dependency on single providers. Expect more multi-CDN strategies and stricter SLA negotiations in 2026. The outage didn’t break Cloudflare—it exposed how much the internet depends on it.