Cloudflare has implemented new WAF rules to protect against a Remote Code Execution vulnerability affecting specific React versions and Next.js. All customers are automatically shielded as long as their traffic is routed through Cloudflare, but updating to React 19.2.1 and the latest Next.js versions is still recommended. Cloudflare's security team will monitor for potential attacks and adjust protections as needed.

On December 5, 2025, Cloudflare experienced a significant outage lasting about 25 minutes due to a configuration change related to their Web Application Firewall. The issue arose from a bug triggered when turning off a testing tool, resulting in HTTP 500 errors for around 28% of customer traffic. Cloudflare is implementing measures to prevent similar incidents in the future.

This article discusses improvements to Cloudflare's Web Application Firewall (WAF) payload logging feature, which helps identify the specific request fields that trigger WAF rules. It highlights how recent updates increase logging efficiency and clarity, reducing false positives and enhancing debugging for customers.

Cloudflare addressed a flaw in its WAF that let attackers bypass security measures and access origin servers during ACME validation. The issue arose from a logic error that disabled WAF features for certain requests, potentially allowing unauthorized access. The company implemented a fix to ensure that WAF features remain active unless the request matches a valid ACME token.