Cloudflare Blog
https://blog.cloudflare.com/Why it matters: This initiative highlights the danger of instant global configuration propagation. By treating config as code and implementing gated rollouts, Cloudflare demonstrates how to mitigate blast radius in hyperscale systems, a critical lesson for SRE and platform engineers.
- •Cloudflare launched 'Code Orange: Fail Small' to prioritize network resilience after two major outages caused by rapid configuration deployments.
- •The plan mandates controlled, gated rollouts for all configuration changes, mirroring the existing Health Mediated Deployment (HMD) process used for software binaries.
- •Teams must now define success metrics and automated rollback triggers for configuration updates to prevent global propagation of errors.
- •Engineers are reviewing failure modes across traffic-handling systems to ensure predictable behavior during unexpected error states.
- •The initiative aims to eliminate circular dependencies and improve 'break glass' procedures for faster emergency access during incidents.
Why it matters: Cloudflare is scaling its abuse mitigation by integrating AI and real-time APIs. For engineers, this demonstrates how to handle high-volume legal and security compliance through automation and service-specific policies while maintaining network performance and reliability.
- •Cloudflare's H1 2025 transparency report highlights a significant increase in automated abuse detection and response capabilities.
- •The company is utilizing AI and machine learning to identify sophisticated patterns in unauthorized streaming and phishing campaigns.
- •A new API-driven reporting system for rightsholders has scaled DMCA processing, increasing actions from 1,000 to 54,000 in six months.
- •Cloudflare applies service-specific abuse policies, distinguishing between hosted content and CDN/security services.
- •Technical measures prevent the misconfiguration of free-tier plans for high-bandwidth video streaming to protect network resources.
- •Collaborative data sharing with rightsholders enables real-time identification and mitigation of domains involved in streaming abuse.
Why it matters: Engineers can now perform complex analytical queries directly on R2 data without egress or external processing. This distributed approach to aggregations enables high-performance log analysis and reporting across massive datasets using familiar SQL syntax.
- •Cloudflare R2 SQL now supports SQL aggregations including GROUP BY, SUM, COUNT, and HAVING statements.
- •The engine executes queries over Apache Parquet files stored in the R2 Data Catalog using a distributed architecture.
- •Implements a scatter-gather approach where worker nodes compute pre-aggregates to horizontally scale computation.
- •Pre-aggregates represent partial states, such as intermediate sums and counts, which are merged by a coordinator node.
- •Introduces shuffling aggregations to handle complex operations like ORDER BY and HAVING on computed aggregate columns.
- •The system is designed to spot trends, generate reports, and identify anomalies in large-scale log data.
Why it matters: This report offers critical insights into evolving user behavior, platform dominance, and emerging tech trends like AI and digital finance. Engineers can leverage this data to inform product strategy, infrastructure planning, and understand the competitive landscape of internet services.
- •Cloudflare's 2025 report ranks top internet services based on anonymized DNS query data from its 1.1.1.1 resolver, highlighting shifts in popularity across nine categories.
- •Generative AI saw significant competition, with Claude, Gemini, and Perplexity challenging ChatGPT, and Gemini reaching the #2 spot by year-end.
- •The social media landscape shifted: Instagram rose to #5 overall, while TikTok and X declined, and Kwai gained traction in emerging markets.
- •Asian e-commerce platforms like Shopee and Temu joined Amazon in the global top 3, indicating a significant regional climb.
- •Google, Facebook, and Apple remained the top three overall internet services, with Microsoft and Instagram showing strong growth in their rankings.
- •Digital finance services like Stripe and neobank Nubank demonstrated continued dominance and growth, alongside a surge in cryptocurrency traffic for platforms like OKX.
Why it matters: This review offers critical insights into evolving Internet trends, including AI's impact on web traffic, the rise of post-quantum security, and network performance, essential for engineers building and securing online services.
- •Global Internet traffic grew 19% in 2025, with Starlink traffic doubling and Googlebot leading verified bot activity for search and AI training.
- •Post-quantum encrypted web traffic reached 52% of human-generated requests, highlighting a significant shift in security adoption.
- •AI-related crawling surged, with Googlebot's dual-purpose crawls dominating and "user action" crawling increasing 15x. AI bots were also frequently blocked via robots.txt.
- •Meta's llama-3-8b-instruct was the most popular model on Workers AI, primarily used for text generation tasks.
- •Mobile traffic saw iOS devices account for 35% globally, while HTTP/2 and HTTP/3 adoption continued to rise.
Why it matters: This critical RCE in React Server Components allows unauthenticated code execution. Engineers must patch immediately and apply WAF rules to protect against active exploitation and prevent severe security breaches.
- •React2Shell (CVE-2025-55182) is a critical RCE vulnerability (CVSS 10.0) in React Server Components (RSC) Flight protocol.
- •The flaw stems from unsafe deserialization, enabling unauthenticated attackers to execute arbitrary privileged JavaScript with a single crafted HTTP request.
- •Cloudflare observed immediate, widespread scanning and exploitation attempts by threat actors within hours of public disclosure.
- •Threat actors leverage vulnerability scanners (e.g., Nuclei), asset discovery platforms, and tools like Burp Suite for reconnaissance and exploitation.
- •Two other RSC vulnerabilities, CVE-2025-55183 (Server Function leaking) and CVE-2025-55184 (DoS), were also disclosed.
- •Cloudflare deployed WAF rules to mitigate these threats, available to all customers.
Why it matters: This article provides a blueprint for implementing "shift left" security and IaC at enterprise scale, crucial for preventing misconfigurations, enhancing consistency, and improving operational efficiency in large, complex environments.
- •Cloudflare adopted "shift left" principles and Infrastructure as Code (IaC) to manage its critical platform securely and consistently at enterprise scale.
- •All production account configurations are managed via IaC using Terraform, integrated with a custom CI/CD pipeline (Atlantis, GitLab, tfstate-butler).
- •A centralized monorepo holds all configurations, with teams owning their specific sections, promoting accountability and consistency.
- •Security baselines are enforced through Policy as Code (Open Policy Agent with Rego), shifting validation to the earliest stages of development.
- •Policies are automatically checked on every merge request, preventing misconfigurations before deployment and minimizing human error.
Why it matters: Engineers can now deploy Python applications globally on Cloudflare Workers with full package support and exceptionally fast cold starts. This significantly improves serverless Python development, offering a highly performant and flexible platform for a wide range of edge computing use cases.
- •Cloudflare Python Workers now support any Pyodide-compatible package, including pure Python and many dynamic libraries, enhancing developer flexibility.
- •A uv-first workflow and pywrangler tooling simplify package installation and global deployment of Python applications on the Workers platform.
- •Significant cold start performance improvements have been achieved through dedicated memory snapshots, making Python Workers 2.4x faster than AWS Lambda and 3x faster than Google Cloud Run for package-heavy applications.
- •The platform offers a free tier and supports various use cases, from FastAPI apps and HTML templating to real-time chat with Durable Objects and image generation.
- •These advancements provide a Python-native serverless experience with global deployment and minimal latency.
Why it matters: This incident underscores the critical impact of configuration management in distributed systems. It highlights how rapid, global deployments without gradual rollouts and robust error handling can lead to widespread outages, even from seemingly minor code paths.
- •A 25-minute Cloudflare outage on Dec 5, 2025, impacted 28% of HTTP traffic due to a configuration change.
- •The incident stemmed from disabling an internal WAF testing tool, intended to mitigate a React Server Components vulnerability (CVE-2025-55182).
- •A global configuration system, lacking gradual rollout, propagated a change that triggered a Lua runtime error in the FL1 proxy.
- •The error was an attempt to access a nil value ('rule_result.execute') when a killswitch skipped an "execute" action rule, a bug undetected for years.
- •This highlights the need for robust type systems and safe deployment practices, especially for critical infrastructure.
- •Cloudflare acknowledges similar past incidents and is prioritizing enhanced rollouts and versioning to prevent future widespread impacts.
Why it matters: This article is crucial for engineers managing React/Next.js applications, highlighting an RCE vulnerability and Cloudflare's WAF as a critical first line of defense. It emphasizes the importance of both network-level protection and prompt application-level updates.
- •Cloudflare WAF has deployed new rules to proactively protect against a critical Remote Code Execution (RCE) vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components.
- •The vulnerability impacts React versions 19.0-19.2 and Next.js versions 15-16, allowing insecure deserialization leading to RCE.
- •All Cloudflare customers with traffic proxied through WAF are automatically protected, including free and paid plans, with default block actions.
- •Cloudflare Workers-based applications are inherently immune to this specific exploit.
- •Despite WAF protection, users are strongly recommended to update to React 19.2.1 and the latest Next.js versions (16.0.7, 15.5.7, 15.4.8).
- •Specific WAF rule IDs (e.g., 33aa8a8a948b48b28d40450c5fb92fba) have been deployed across Cloudflare's network.