To most people outside of the IT world or technology have probably never heard of Cloudflare. But the IT infrastructure company provides services is one of those that help keep the internet running smoothly.
For more than a long time, Cloudflare has been described as "the biggest company you’ve never heard of," with many touted it as the "gatekeeper" of the web by providing services to "protect your websites, apps, APIs, and AI workloads while accelerating performance."
Cloudflare's roles include monitoring traffic to websites, and defend them against distributed denial of service attacks (DDoS) when malicious actors try to overwhelm them with requests. It also checks users are human.
This time, a major disruption rippled through the internet as Cloudflare suffered a severe malfunction that brought down or destabilized many popular platforms.
Users across the world found themselves locked out of X, ChatGPT, Spotify, Canva, Discord, and even online games like League of Legends as error messages replaced the usual content.
Most of these messages pointed back to Cloudflare’s systems, especially its challenge and security layers, which began blocking legitimate visitors with warnings like "Please unblock challenges.cloudflare.com to proceed."
The trouble began around midday GMT. In its official status page, Cloudflare initially wrote:
Later on, the company shared:
This happened after a routine configuration change triggered a latent bug inside its bot-mitigation service, causing crashes that cascaded across the network.
Cloudflare insisted there was no sign of an attack, but the technical malfunction was serious enough to create what some experts described as a catastrophic disruption, especially given how many services hide behind Cloudflare to protect against DDoS attacks and manage traffic.
Downdetector, usually the first place people check during outages, was itself overwhelmed.
Even as Cloudflare attempted remediation, users continued seeing broken timelines on X, empty search results, images failing to load, and dashboards that simply wouldn’t open.
Some regions felt the impact more intensely, such as London, where Cloudflare temporarily disabled its WARP privacy service, leaving users unable to connect at all.
Most users experienced the outage for around 3 hours, with full restoration taking up to about 5½ hours.
According to Cloudflare in a blog post, , the issue was triggered by a change to one of its database systems' permissions which caused the database to output multiple entries into a "feature file" used by its Bot Management system.
A misconfiguration in that file had doubled its size and as a result, it created a "larger-than-expected feature file" that "then propagated to all the machines that make up our network."
Experts pointed out that although such outages are rare, modern internet infrastructure is tightly interconnected.
The convenience of relying on giants like Cloudflare, AWS, and Azure creates a fragile ecosystem where a single point of failure can cause global ripple effects.
As Cloudflare worked through the incident, its CTO publicly apologized, calling the outage unacceptable and promising a full explanation. Services gradually started returning to normal, though elevated error rates lingered while systems recovered.
This episode, following closely after the recent AWS incident, reinforces how dependent the online world has become on just a handful of massive backbone providers. When one stumbles, everyone feels it.
On November 18 Cloudflare experienced a service outage, triggered by an issue with a Bot Management feature, impacting multiple Cloudflare services. Here's a detailed breakdown of what happened. https://t.co/7WArlr5ghI
— Cloudflare (@Cloudflare) November 18, 2025