Quick reads
- A global outage on Nov 18, 2025, disrupted X, ChatGPT and many sites that use Cloudflare.
- Cloudflare says a latent software bug, triggered by a routine configuration change in its bot-management system, caused the failure — not a cyberattack.
- The problem came from an unexpectedly large configuration/feature file that crashed traffic-handling software and propagated across the network.
- Services were gradually restored after Cloudflare deployed a fix; companies, including OpenAI, confirmed outages and pointed to Cloudflare as the third-party cause.
What happened
On November 18, 2025, users worldwide began seeing error pages and failures when accessing popular services. Cloudflare, the web-security and traffic-routing provider used by a large portion of the internet,, experienced a broad degradation that prevented traffic from flowing normally to many sites and apps. High-profile services affected included X (formerly Twitter), OpenAI’s ChatGPT, Canva, Spotify and numerous news and government sites.
How a “latent bug” caused a global ripple
Cloudflare says a routine change caused a database to produce far more entries than expected for a file used by its bot-management (threat mitigation) system. That feature/config file ballooned in size and then crashed the software that reads it; the failure cascaded because the configuration was propagated across Cloudflare’s distributed network. Company engineers rolled back the change and pushed fixes; services recovered after the remediation. Cloudflare and multiple reporting outlets emphasised there is no evidence that the disruption was caused by malicious activity.
Who felt the pain
Any site or app that relies on Cloudflare for DDoS protection, load balancing or content delivery was potentially affected. That included consumer apps (ChatGPT, X, music and retail platforms), media outlets, and even some government services, making the outage visible to millions within hours. Companies whose front ends rely on Cloudflare logged partial or full outages; some services fell back to degraded modes as traffic routes were repaired.
Why this matters
Cloudflare sits at the edge of a big slice of the web. A single latent bug in an automated configuration pipeline can cascade quickly through systems that assume configuration files are small and stable. The incident underlines the operational risk of centralised infrastructure components and the need for defensive guard size limits, staged rollouts and stronger validation around automated config changes. Cloudflare says it will publish a post-mortem and take steps to prevent a recurrence.
