Cloudflare Outage Pattern Reveals Critical Infrastructure Dependency Risk

The Third Outage Didn't Just Repeat the Pattern: It Grew From the Fix

At 17:48 UTC on February 20, 2026, Cloudflare began receiving failure signals from its own infrastructure. The cause was a newly deployed automated cleanup task, part of the company's ongoing effort to eliminate manual processes in its BYOIP (Bring Your Own IP) management pipeline. The task was built to identify and remove IP prefixes that customers had queued for deletion. Instead, it began withdrawing all of them.

The bug was a single missing value in an API query. The cleanup task passed the pending_delete parameter to the Addressing API with no accompanying value. Cloudflare's API server interpreted an empty string as a command to return all BYOIP prefixes on the network, not just those flagged for removal. The system then processed the full returned list as a deletion queue. Within minutes, approximately 1,100 of Cloudflare's 4,306 BYOIP prefixes, representing 25% of the total, had been withdrawn from global routing. An engineer identified the task and shut it down, but the damage was already propagated. Full service restoration didn't complete until 23:03 UTC, six hours and seven minutes after the incident began.

The recovery timeline alone would make this a significant outage. But the analytical weight comes from what the task was doing and why it existed.

The cleanup automation was a product of Code Orange: Fail Small, the company-wide remediation initiative Cloudflare launched following its November and December 2025 outages. The initiative's explicit goal was to replace manual operational processes with safe, health-mediated automation and to eliminate the architecture flaw that caused both prior incidents: instantaneous, ungated configuration deployment across the entire global network. The February task was built to remove a manual process. The bug it contained propagated unchecked because the Addressing API subsystem hadn't yet been brought under the graduated deployment framework that Code Orange was building.

Cloudflare's third failure emerged directly from the remediation work designed to prevent the second. The staging environment didn't catch the bug because it lacked production-scale BYOIP prefix data. There was no circuit breaker to detect that BGP prefixes were being withdrawn at an abnormal rate. These aren't critiques of effort or intent; they reflect a well-understood property of complex automation systems: the work of implementing safety infrastructure carries its own deployment risk, especially when testing environments don't faithfully replicate the conditions that matter.

Cloudflare's Quicksilver configuration propagation system, which pushes changes to 90% of servers within seconds, was the identified culprit in November and December. The Addressing API that triggered February's failure operates on similar principles, with immediate global propagation and no staged rollout. The February incident suggests that at least one workstream within the Code Orange initiative was still in progress at the point the outage occurred. The pattern holds even as the specific system changes.

One Architecture Flaw Ran Through Three Different Technical Failures

November 18, 2025: A File That Grew Too Large

The November incident began when a routine database permissions change caused Cloudflare's Bot Management classifier to pull duplicate rows, doubling the size of the feature configuration file. The proxy software that serves Cloudflare's traffic had a hardcoded limit for the number of classifier features it could load. The file now exceeded that limit. Proxies that attempted to reload the file couldn't handle the error gracefully and returned HTTP 500 responses to end users.

What made diagnosis difficult was the oscillating nature of the failure. The feature file refreshed every five minutes across the global network. Whether a given proxy succeeded or failed in any given cycle depended on which database replica it queried. Services including ChatGPT, Spotify, X, and Canva experienced intermittent failures for hours as some proxies operated correctly while others crashed. The pattern looked different from different vantage points, and Cloudflare's own status page went offline coincidentally at the same time, briefly suggesting an external attack.

December 5, 2025: The Fix for One Vulnerability Caused Another

Seventeen days later, Cloudflare was responding to CVE-2025-55182, an actively exploited remote code execution vulnerability in React Server Components. Engineers deployed a buffer size increase to 1MB for affected systems, using the company's gradual rollout process. When they noticed that an internal WAF testing tool didn't support the increased buffer, they needed to disable it quickly. Rather than routing that secondary change through the gradual rollout system, they used a global configuration killswitch that propagated to every server simultaneously.

The killswitch had been used successfully many times before. But applied to a rule with an "execute" action rather than a standard rule type, it triggered a dormant null-value bug in the Lua code running on older FL1 proxy servers. The result was HTTP 500 errors across approximately 28% of all HTTP traffic Cloudflare served, lasting around 25 minutes. The urgency of an active security vulnerability justified the deployment decision in the moment. The architecture made that decision catastrophic.

The Unifying Thread

The bugs across the three incidents were each technically distinct. The common factor is that configuration changes at Cloudflare can reach every server on the planet within seconds, with no graduated rollout, no per-region health gates, and no automatic revert on anomaly detection. When Cloudflare deploys software binary updates, those updates must clear multiple staged deployment gates before reaching full traffic. Configuration changes have historically operated on a different standard: change fast, propagate instantly, detect problems after the fact.

That asymmetry is what Code Orange exists to close. But closing it requires rearchitecting every system that touches live configuration across a network spanning hundreds of cities, and as February demonstrated, that rearchitecting work carries its own risk at each step.

Twenty Percent of the Internet's Traffic Through One Provider Is Not Diversification

The severity of each Cloudflare outage isn't determined solely by the technical scope of the failure. It's amplified by what Cloudflare handles. The company serves more than 20% of all global internet request traffic, protects over 41 million websites, and is used by 48.7% of the top one million websites by traffic. When Cloudflare fails, the affected population extends well beyond its 238,000 paying customers; it encompasses everyone who tries to reach any service that routes through Cloudflare's network.

That scale is both the product's value proposition and its systemic risk. But scale alone doesn't fully explain the exposure. The more precise concern is concentration: the degree to which global internet traffic has consolidated behind a small number of providers, such that any single failure has outsized consequences.

The Internet Society's CDN concentration tracker, which measures the Herfindahl-Hirschman Index across the top 10,000 most visited websites, recorded a rise from 2,448 to 3,410 between June 2021 and late 2025, a 39% increase in concentration over four years. Five providers, Cloudflare, Amazon, Google, Akamai, and Fastly, collectively host approximately 60% of index pages in the most-visited site cohort. The internet's distributed appearance, built on a protocol stack designed for resilience through redundancy, increasingly sits atop a physical and logical infrastructure that is neither.

Concentration compounds market-position risk in a way that Cloudflare's raw market share figures don't fully capture. Cloudflare's 48.7% share of top-traffic sites means that each outage doesn't affect a proportionate share of those sites' availability. It affects the downstream reliability perception of every service those sites support, plus every API consumer, mobile client, and third-party integration that touches them.

The diversification problem is particularly sharp for organizations running multi-cloud architectures. Running application workloads across AWS and Azure looks like diversification. But if both cloud environments route their traffic through Cloudflare for CDN delivery, DDoS protection, and DNS, the redundancy is illusory at the network layer. Multi-cloud strategies address compute and storage availability. They frequently don't address the shared bottlenecks, CDN layers, DNS providers, and control planes, that sit upstream of both.

"Fully Operational but Invisible": The Failure Mode Most Continuity Plans Miss

Standard business continuity planning is organized around application failures: what happens when a database goes down, a service becomes unresponsive, or a cloud region loses availability. BYOIP-class outages introduce a different failure category entirely, one that most continuity frameworks don't model.

On February 20, Laravel Cloud, a hosting platform built on Cloudflare's BYOIP infrastructure, experienced a complete service disruption. Its applications were running. Its databases were healthy. Its infrastructure was fully operational. But according to Laravel Cloud's own incident report, all services were unreachable because the company's prefixes had been locked in a "Withdrawn" state that could not be self-remediated through the Cloudflare dashboard. Recovery was entirely dependent on Cloudflare engineers manually restoring the prefixes at the network edge. The total disruption lasted approximately three hours and fifteen minutes, not because anything inside Laravel Cloud's infrastructure broke, but because the IP announcement layer that makes infrastructure visible to the internet was no longer under its control.

This is the "fully operational but invisible" failure class. The application stack functions correctly. No internal health checks register a problem. But no user or external system can reach it because the network path no longer exists.

The February recovery divided BYOIP customers into two distinct groups. Customers whose prefixes had only been withdrawn, routing announcements removed but service bindings intact, could re-advertise their prefixes through the Cloudflare dashboard once guidance was published at 19:19 UTC. Customers whose service bindings had been fully deleted by the cleanup task's systematic removal had no self-remediation path. Each of those prefixes required Cloudflare engineers to push configuration updates to every machine on the global edge individually, with 800 restored at 20:20 UTC and the remaining 300 not fully addressed until 23:03 UTC.

The practical implication for infrastructure planning is this: BYOIP dependency creates a failure surface that sits below the application layer, at the IP routing layer, where standard application failover mechanisms don't reach. A disaster recovery runbook that focuses on application health monitoring, database failover, and cloud-region redundancy will not catch this failure mode. Organizations that rely on BYOIP services need a separate question in their continuity planning: if IP prefixes are withdrawn from the internet and cannot be restored through the provider's dashboard, what is the fallback path?

The Integration Premium Becomes the Integration Penalty Under Failure

Cloudflare's product strategy is built around integration. A single account can handle CDN delivery, DDoS mitigation, DNS resolution, WAF rules, bot management, CAPTCHA (Turnstile), and zero trust network access. This creates genuine operational efficiency: one dashboard, one configuration system, one billing relationship. The integration premium is real.

During an outage, that same integration inverts. When a single incident triggers across one layer, every dependent layer activates simultaneously. November's bot management failure demonstrated this precisely: Cloudflare's Turnstile CAPTCHA, used to protect the Cloudflare dashboard login flow, became unavailable during the outage. Customers who needed to log in to the dashboard to implement workarounds couldn't complete the CAPTCHA protecting their login. The tool they needed to respond to the outage was itself behind the failing system.

The integration penalty is structural rather than incidental. Each additional Cloudflare service a customer adopts increases the number of functions that activate in any single outage. An organization using only Cloudflare for CDN delivery has partial exposure. An organization using Cloudflare for CDN, DNS, WAF, bot management, and zero trust access has full-stack exposure to any single incident. This pattern, where technical explanations obscure the deeper structural concentration risk, is examined in detail in our analysis of how infrastructure concentration risk gets hidden in technical post-mortems.

The Internet Society frames this through the lens of what resilience engineering calls separation of concerns: the principle that a failure in one functional layer should not automatically propagate to adjacent layers. Integrated stacks that bundle multiple functions under a single provider and a single configuration system violate this principle by design. A DNS configuration error can cascade to caching behavior, routing policy, and security rules simultaneously because all of those functions share the same underlying change propagation system.

This concern has moved from operational best practice to regulatory obligation for a significant portion of the economy. The EU's Digital Operational Resilience Act, effective January 2025, explicitly extends its third-party risk requirements to critical ICT providers including cloud platforms and CDN services. Under DORA, regulated financial institutions cannot treat a CDN provider outage as an event outside their operational control. They must demonstrate documented contingency plans, tested failover procedures, and vendor dependency maps that account for critical infrastructure providers. The regulation doesn't require eliminating Cloudflare as a provider. It requires proving that the organization has thought through what happens when Cloudflare fails and has a tested response ready.

What the Pattern Means for Infrastructure Risk Decisions

Three outages in four months from a provider handling a fifth of global internet traffic changes the statistical framing of the risk question. This is no longer an improbable scenario to theoretically insure against. It is a measurable frequency, and organizations that haven't conducted an infrastructure dependency audit since the November incident are operating on an implicit decision rather than a considered one.

The cleanup task that caused February's incident was built as part of Code Orange and was deployed to a system, the Addressing API, that hadn't yet been brought under the enhanced health-mediated deployment framework Code Orange was building. That gap suggests the initiative's Q1 2026 target had not been fully met at the time of the outage. Cloudflare has committed to staging environment improvements, rate-limiting on bulk BGP withdrawals, and standardized API schema handling to prevent parameter interpretation errors of the kind that triggered February. Whether those commitments have been completed across all affected systems remains to be confirmed; it's not yet clear from available public documentation that the full Code Orange workstream is closed.

For organizations using Cloudflare's BYOIP service, the February incident surfaced a specific gap worth closing before the next event. The recovery experience divided cleanly into two populations: customers whose prefixes were withdrawn but whose service bindings remained intact and had a dashboard self-remediation path, and customers whose service bindings were deleted and had none. Understanding which state your configuration would be in under a similar failure, and whether a dashboard re-advertisement path actually exists for your setup, is a concrete preparedness step that requires no additional vendor cost.

Multi-provider strategies deserve honest cost accounting. Maintaining parallel DNS providers, operating under multiple CDN vendors, and engineering genuinely independent failover paths all carry real costs in both budget and operational complexity. For many organizations, those costs won't be justified against the frequency and duration of outages. But the calculation should be a considered one, not a default. At minimum, most organizations can identify which Cloudflare functions are stacked over a single dependency and which ones have independent fallback options if the configuration layer fails.

For organizations subject to DORA, the February outage is a useful test of existing contingency plans. If the response to a CDN provider outage is to wait for the provider to resolve it, that plan likely doesn't satisfy DORA's requirements for demonstrated operational resilience. Regulators have signaled that they are building a compliance record now, before a catastrophic multi-hour outage produces formal enforcement actions against firms that treated provider failures as events entirely outside their control.

The total financial cost of the February outage to downstream businesses remains unpublished; Cloudflare's incident report documents operational impact, not revenue figures. But the pattern of failures is itself the data point. The question isn't whether Cloudflare will experience future outages. No provider at this scale with this pace of infrastructure change can provide that guarantee. The question is whether the organizations that depend on Cloudflare understand precisely how deep that dependency runs, and whether their contingency plans cover the failure modes including the "fully operational but invisible" BYOIP class that February introduced.