Some experts have dubbed today\u2019s fast, AI-assisted \u201cvibe coding<\/a>\u201d culture, which emphasizes shipping new features quickly as trading away robustness for speed. The Cloudflare outage postmortem makes this clear: a seemingly innocuous database permission change cascaded into a network-wide failure<\/strong>. <\/p>\n\n\n\n Cloudflare\u2019s report <\/a>confirms no malicious attack was involved. Instead, on Nov 18 at 11:20\u202fUTC<\/strong>, our network began seeing \u201csignificant failures to deliver core network traffic,\u201d with users getting the above error. <\/p>\n\n\n\n The culprit was a database change: a ClickHouse permission update at 11:05<\/strong> caused the Bot Management feature-file query to double its output (via duplicate rows). That oversized file violated an internal 200-feature limit (set for performance), causing a Rust \u201cunwrap\u201d panic in Cloudflare<\/a>\u2019s new FL2 proxy code and triggering HTTP 5xx errors across the CDN.<\/p>\n\n\n Key events unfolded as follows:<\/p>\n\n\n\n <\/p>\n\n\n\n This timeline shows the unusual \u201czig-zag\u201d spike in errors every ~5 minutes as good and bad feature files alternated. Eventually the bad file prevailed and errors stabilized until remediation took effect.<\/p>\n\n\n Cloudflare\u2019s Bot Management module embeds a reinforcement-learning<\/a> model that scores each request as bot or human. This ML model consumes a \u201cfeature\u201d configuration file (a list of request-trait parameters). The feature file is regenerated every few minutes via a ClickHouse query so that it stays up-to-date.<\/p>\n\n\n\n On Nov 18, the scheduled ClickHouse update at 11:05 changed query semantics: it granted explicit access to underlying shard tables in the r0 schema. In prior behavior, querying metadata returned only the default schema\u2019s columns by assumption; after the change, the same query now returned columns from r0 too.<\/p>\n\n\n\n In practice, the Bot feature-generation query (a system.columns lookup) suddenly returned all<\/strong> columns from both default and r0 tables. Concretely, the report notes that “the response now contained all the metadata of the r0 schema, effectively more than doubling the rows”<\/em> in the resulting feature file. <\/p>\n\n\n\n In other words, a permission tweak caused duplicate<\/a> feature entries. The new feature file exceeded Cloudflare\u2019s built-in limit of 200 features. As soon as the bloated file hit production (in the FL2 proxy code path), the proxy panicked:<\/p>\n\n\n\n This unhandled Rust panic (during feature-file parsing) turned into HTTP 500 errors for any request going through the bot-management path. In summary, a simple DB query change made the ML feature config file twice as large, which triggered an internal error and caused core requests to fail.<\/p>\n\n\n Once the error occurred, it rippled through most Cloudflare services that depended on the core proxy or bot logic. The effect on customers varied depending on their proxy version: Cloudflare was midway through migrating traffic to a new proxy engine (FL2). <\/p>\n\n\n\n Per the report, customers on FL2 all<\/em> saw 5xx errors, while customers still on the legacy proxy (FL) saw no crashes \u2013 but all bot scores defaulted to zero. This meant any customer using bot scores to block<\/em> bots would suddenly drop all traffic (false positives). In short:<\/p>\n\n\n\n <\/p>\n\n\n\n In addition, Cloudflare saw unusually high CPU use on proxy nodes as its error-debugging<\/a> systems kicked in, which added latency for surviving traffic. At one point, even the Cloudflare status page (hosted outside Cloudflare\u2019s network) went down by coincidence, initially confusing the team into thinking this might be an external attack. In short, the bug turned into a cascading failure \u2013 flipping core traffic offline and then affecting most dependent control-plane services until fixed.<\/p>\n\n\n Initially, the errors looked like an external event (the status page outage and high error volumes spooked the team). However, internal telemetry soon pointed to an internal config issue. An automated test at ~11:31 picked up the anomaly, and by 11:35 an incident was declared. Early mitigation attempts included traffic shaping and account limiting on Workers KV to reduce load. Within about an hour, engineers used knowledge of Cloudflare\u2019s architecture <\/a>to narrow the cause: the Bot Management module\u2019s feature file was the trigger.<\/p>\n\n\n\n To blunt the impact while debugging<\/a>, at 13:05<\/strong> the team bypassed the core proxy for Workers KV and Access, sending them through an older proxy build. This reduced error rates (since the FL engine simply dropped features instead of crashing). With that reprieve, engineers focused on restoring the bot-config file. By 13:37<\/strong> they had confirmed the feature-file bug was the culprit and set out to roll back to a known-good version. A parallel workstream halted further bad file generation and propagated the last working file.<\/p>\n\n\n\n By 14:24<\/strong>, the team had stopped new feature-file deployments altogether and tested the rollback: as promised, the old file cured the errors in FL2. With confidence, they globally pushed the good file and restarted the proxy at 14:30<\/strong>. The core proxy was then largely stable: 5xx rates fell back to baseline and most traffic flowed normally. It took until ~17:06 for all lingering effects (restarting any services still in a bad state) to clear up.<\/p>\n\n\n <\/p>\n\n\n Cloudflare\u2019s leaders stress that this Cloudflare outage \u201cis unacceptable\u201d and the worst Cloudflare outage since 2019. They have outlined several architectural hardening steps: treating internally generated config files like external input (with validation checks), adding global kill-switches to disable new features, preventing diagnostic logs or core dumps from choking resources, and systematically reviewing failure modes in all proxy modules. <\/p>\n\n\n\n In essence, every control plane and configuration path will need stronger guardrails. Cloudflare also reminds us that each major incident informs building more resilient systems, noting that they have always responded to failures by adding redundancy and automation<\/a>.<\/p>\n\n\n For the SRE\/DevOps community, the key takeaway is a reconfirmation of \u201cdesign for failure.\u201d Even mature CDNs can be tripped by a subtle data bug if unchecked configuration changes ripple through the network. This incident \u2013 following closely on the heels of AWS\u2019s outage \u2013 highlights how high-velocity engineering (\u201cvibe coding\u201d with AI tools<\/a>) can create hidden failure surfaces. The rapid iteration culture demands equally rapid observability and testing countermeasures. <\/p>\n\n\n\n In practice, teams are now investing more in AI-powered testing<\/a> pipelines (even for mobile and edge apps) and richer runtime diagnostics to catch complex bugs early.<\/p>\n\n\n For example, automated end-to-end testing<\/a> and chaos testing can exercise new configuration flows before they hit prod. Similarly, enhanced tracing can pinpoint failures in ML-driven modules. Ultimately, as Cloudflare\u2019s outage experience shows, strong automation and testing frameworks are essential to support the fast AI-driven workflows<\/a> that define today\u2019s engineering culture.<\/p>\n","protected":false},"excerpt":{"rendered":" Just weeks after AWS disclosed a major DynamoDB outage in late October 2025 (triggered by a latent DNS-management race condition), Cloudflare suffered its own large-scale outage on November 18, 2025. Both incidents underscore how fragile modern cloud systems can become when small bugs combine with high deployment velocity. Some experts have dubbed today\u2019s fast, AI-assisted […]<\/p>\n","protected":false},"author":3,"featured_media":2886,"comment_status":"open","ping_status":"open","sticky":false,"template":"wp-custom-template-panto-code-review-blog","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2879","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-coding"],"_links":{"self":[{"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/posts\/2879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/comments?post=2879"}],"version-history":[{"count":0,"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/posts\/2879\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/media\/2886"}],"wp:attachment":[{"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/media?parent=2879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/categories?post=2879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getpanto.ai\/blog\/wp-json\/wp\/v2\/tags?post=2879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Cloudflare](\"https:\/\/www.getpanto.ai\/blog\/wp-content\/uploads\/2025\/11\/image-136.png\")
<\/figure>\n\n\n\n<\/span>Cloudflare Outage Timeline and Sequence of Events<\/strong><\/span><\/h2>\n\n\n
![\"Timeline](\"https:\/\/www.getpanto.ai\/blog\/wp-content\/uploads\/2025\/11\/image-134.png\")
<\/figure>\n\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n<\/ol>\n\n\n\n<\/span>Deep Dive into the CloudFlare Outage<\/strong><\/span><\/h2>\n\n
<\/span>Root Cause: Bot-Management Feature File and Query Bug<\/strong><\/span><\/h3>\n\n\n
thread fl2_worker_thread panicked: called Result::unwrap() on an Err value<\/code><\/pre>\n\n\n\n<\/span>Failure Propagation and Impact Across Systems<\/strong><\/span><\/h3>\n\n\n
\n
<\/span>Incident Diagnostics and Mitigation<\/strong><\/span><\/h3>\n\n\n
<\/span>Lessons Learned and Future Protections<\/strong><\/span><\/h2>\n\n\n
![\"Lessons](\"https:\/\/www.getpanto.ai\/blog\/wp-content\/uploads\/2025\/11\/image-removebg-preview.png\")
<\/figure>\n\n\n\n<\/span>Cloudflare\u2019s Leadership Response and Architectural Hardening<\/strong><\/span><\/h3>\n\n\n
<\/span>Key Takeaway for SRE\/DevOps Community<\/strong><\/span><\/h3>\n\n\n
<\/span>Automation and Testing Frameworks Importance<\/strong><\/span><\/h3>\n\n\n