On November 18th, 2025 at around 11:20 UTC, Cloudflare’s network began failing to deliver core traffic. Users attempting to access sites behind Cloudflare saw error pages indicating failure within Cloudflare’s network.
So what caused this global outage? A change to the permissions of one of Cloudflare’s database systems inadvertently caused a configuration file (used by their Bot Management system) to balloon in size. That oversized “feature file” propagated across the network, exceeded internal limits, and triggered cascading failures. This essentially broke the proxy layer that routes traffic.
Between 11:20 UTC and 17:06 UTC the company worked to restore service, eventually replacing the faulty configuration file with a working version and restarting services globally.
Cloudflare described the incident as their worst outage since 2019. Especially being an internal failure, not a cyber-attack.
The scale: how many major platforms went dark
Because Cloudflare provides CDN, DNS, reverse-proxying, security (WAF, bot mitigation) and more for a large portion of the web, the outage impacted dozens of globally popular platforms. Services such as ChatGPT, X (formerly Twitter), and many others reportedly went offline or returned error pages during the outage.
This shows how deeply many “household” platforms rely on a handful of infrastructure providers. When one foundation cracks, many seemingly unrelated services collapse.
Why this outage is dangerous. And what it reveals
Shared infrastructure creates shared risk
Cloudflare powers security, performance, and reliability for a huge portion of the web. When it fails, that failure cascades to all dependent parties.
A single internal bug can paralyse large parts of the internet
In this case the trigger was a routine change to database permissions. No external attacker. No DDoS. Just a mis-configured setting that caused internal cascading failure. Sometimes one small mistake inside a system can cause big parts of the internet to stop working.
Critical systems (DNS, CDN, security, bot mitigation) are highly interdependent
Cloudflare’s core services such as CDN, DNS, reverse proxy, bot management, Workers KV, Access and security layers are deeply integrated. When the proxy fails, downstream services like authentication, dashboard access, worker execution, and more break, affecting both performance and access. To put it simply, the problem started because someone changed a simple setting, and that mistake made a lot of websites stop working, even though no one was attacking them.
The entire ecosystem’s reliability depends on a few central providers
This outage follows a similar trend: earlier in October 2025, Amazon Web Services (AWS) also suffered a major outage that disrupted thousands of sites worldwide.
Most of the internet depends on just a few big companies, and when one of them has a problem, the whole internet feels it.
What this means for businesses, developers and content platforms
Redundancy matters more than ever
For businesses, relying on a single provider for CDN, DNS, and security (even if that provider is Cloudflare) becomes a single point of failure. Building fallback systems, multi-provider redundancy, and failover strategies is no longer optional.
Users must rethink uptime guarantees
Uptime SLAs at the infrastructure layer don’t shield you from internal failures. As we saw, a configuration mistake can ripple out globally, and any “99.9% uptime” guarantee may still leave you offline in those 0.1%.
Communications uplink matters, even for SaaS/consumer brands
SaaS companies, apps, and content platforms must consider infrastructure risk as part of their continuity planning. Outages like this aren’t just an “IT issue” — they impact user experience, brand reputation, and conversion funnels.
The fragility of “cloud monocultures” is real
The more the web consolidates around a few big providers, the bigger the systemic risk becomes. Outages are no longer isolated; they are systemic events.
A quick comparison: Cloudflare 2025 vs AWS October 2025
- The AWS outage on 20 October 2025 disrupted hundreds of services worldwide, including streaming platforms, apps, retail, and more. It reportedly affected thousands of companies and led to billions in lost productivity globally.
- In the Cloudflare outage, the blast radius was different: instead of backend cloud services, it struck web-facing infrastructure. The immediate effect was that a large swath of “the public web” went dark or returned error pages.
In both cases, what matters is not only resilience of a single provider, but the resilience of the entire architecture stacking on top of them.
What Businesses Should Take Away from This
The Cloudflare outage is a reminder that digital infrastructure is not just a technical concern. It is a business risk. Even routine changes can create unexpected disruption, so it’s worth thinking ahead rather than reacting later.
What to consider moving forward:
- Use more than one provider for critical services like DNS, CDN and hosting. It reduces the chance that everything goes down at once.
- Run regular failover tests, even for scenarios that seem unlikely. A simple configuration error can cause major interruption.
- Have backup communication and service plans ready. This might include static versions of your site or backup hosting options.
- Treat infrastructure decisions with the same care as financial or operational strategy. Convenience should never replace resilience.
At IFT, our view is simple: digital systems will fail at some point. Businesses that prepare for that reality will recover faster, protect their reputation and stay ahead of competitors who only start planning after something breaks.
.svg){kind=small}
.svg){kind=small}
-1.png)
