On Tuesday, November 18, 2025, Cloudflare – the San Francisco–based company that helps power and protect millions of websites – suffered a major network outage. Beginning around 11:20 UTC (6:20 a.m. ET), the disruption led to widespread 500‑error failures for visitors trying to reach websites behind Cloudflare’s network. Internet services, large and small, reported downtime: social media platforms like X (formerly Twitter), AI assistants such as ChatGPT, and even transit and gaming sites showed “Internal Server Error” messages or timeouts. Downdetector – the outage-monitoring site itself – briefly went offline, highlighting the irony that it relies on Cloudflare’s services. By late morning some recovery began; Cloudflare engineers were able to implement a fix by roughly 14:30 UTC, and all services were restored by about 17:06 UTC.
Cloudflare is a web infrastructure and security company that provides CDN (content delivery network) services for roughly one-fifth of the internet. Its systems help websites and apps load faster and stay online even under heavy load or attack. When Cloudflare’s network went down, it caused a “massive digital gridlock” as many user connections were routed through Cloudflare’s servers. Mike Chapple, a cybersecurity professor at Notre Dame, explains: “Cloudflare is a content delivery network that takes content from 20% of the world’s websites… It’s a win-win for everyone, until it fails, and 20% of the internet goes down at the same time”. In other words, this outage had a knock-on effect across the internet: users trying to reach dozens of sites – from AI chatbots to social apps to transit schedules – suddenly found themselves disconnected.
Timeline of the Outage
- ≈ 11:20 UTC (6:20 a.m. ET) – The first failures occurred, as Cloudflare’s network began returning HTTP 5xx errors on customer traffic. Visitors saw generic error pages telling them to “try again in a few minutes”. Early reports showed spikes in Cloudflare error codes across the web. Downdetector logged an initial surge of user reports around this time.
- 11:30–12:00 UTC – Third-party monitors at Cisco ThousandEyes observed a global outage affecting Cloudflare. They saw widespread timeouts and HTTP 500 errors, confirming a backend problem in Cloudflare’s network thousandeyes.com . At 11:37 UTC, Downdetector peaked at over 11,200 problem reports in a single minute . The Cloudflare status page was updated: “We are investigating an issue which impacts multiple customers: Widespread 500 errors, Cloudflare Dashboard and API also failing” . Around this time many of the biggest sites – X, OpenAI’s ChatGPT, Spotify, and more – were unreachable for much of the world.
- Afternoon (UTC) – Cloudflare engineers identified the root cause and deployed a fix. By about 14:30 UTC, core traffic through Cloudflare was “largely flowing as normal” after the bad configuration was replaced. Services came back up gradually, though some slowed traffic and intermittent errors persisted as users logged back on. By 17:06 UTC the company reported that all systems were functioning normally again. Downdetector’s reports fell sharply – by mid-afternoon they had dropped from thousands to just a few hundred – signaling that the outage was effectively over.
What Caused the Outage
Cloudflare and its CTO say the outage was self-inflicted – a mistake, not an attack. In an official post-mortem, Cloudflare explained that a routine change to its internal databases inadvertently triggered a bug in its Bot Management system. That change caused Cloudflare’s database to emit an oversized “feature file” (used to score web traffic for bots). The file doubled in size unexpectedly and was pushed out to all Cloudflare proxies. The proxy software had a hard limit on the file size, so it crashed and kept failing. In effect, a mundane configuration slip produced a flood of bad data that crashed Cloudflare’s routing software.
Importantly, Cloudflare emphasized no malicious attack was involved. The company’s CEO and CTO publicly clarified that “this was not an attack” but rather an internal glitch. CTO Dane Knecht wrote on X that “a latent bug in a service underpinning our bot mitigation capability started to crash after a routine configuration change we made… This was not an attack.” In other words, a software bug in Cloudflare’s own anti-bot system caused the cascade of failures. Once identified, the team reverted to a correct configuration file and restarted the core proxies, restoring traffic. By late afternoon they were able to confirm “elevated errors or latency” had subsided and only normal traffic remained .
Services Affected
Virtually every category of internet service was hit. Any website or app using Cloudflare’s CDN or security was at risk. Major social media, news, and entertainment platforms all saw outages. For example, X and ChatGPT/OpenAI reported erratic availability (some users saw “Internal Server Error” pages), as did video or music apps like Spotify and gaming services including League of Legends. Even public infrastructure felt it: New Jersey Transit warned that parts of its website were down or slow, and France’s SNCF said schedules might be missing. A partial list of affected sites (per Downdetector) included X, ChatGPT, AI chatbot “Claude”, ride-sharing services like Uber, shopping and food-delivery apps, and thousands more. One map of internet health showed a huge red blotch as Cloudflare’s nodes went offline globally.
According to Reuters and others, thousands of websites were offline simultaneously. Downdetector’s peak was over 11,000 problem reports (in just one minute) . By late morning ET (~16:20 UTC), reports had fallen to around 2,800, and continued declining as Cloudflare restored service. Still, for a few hours many workers found apps failing (even Zoom and GitHub saw glitches), and people logged on to social media to complain and check status pages. Even Cloudflare’s own status dashboard and API were initially down, meaning customers couldn’t log in – a sign of how deep the outage was .
Expert and Community Reactions
Security and infrastructure experts were quick to comment on the scale and cause of the outage. Alan Woodward, a cybersecurity professor at Surrey University, noted that the incident laid bare a systemic risk: “Cloudflare provides a form of internet shield… supporting something like 30% of the Fortune 100. The downside of being a gatekeeper… is that if this vital system fails, no one can use your service – be that website or app.” He called the outage “surprising, as such networks are designed to avoid single points of failure.”. Similarly, Lee Skillen, CTO of software firm Cloudsmith, warned that “modern infrastructure is built on deeply interconnected systems” and “there is no doubt that this has a wide-reaching impact worldwide…things will fail.” He urged companies to expect such events and build resilience.
Cybersecurity professor Mike Chapple illustrated the stakes: “When you access a website protected by Cloudflare… you connect to the nearest Cloudflare server. That protects the website… It’s a win-win for everyone, until it fails – and 20% of the internet goes down at the same time.”. His point: Cloudflare’s network mirrors so much web traffic that its failure effectively hobbled a fifth of all sites. Taylar Rajic of the Center for Strategic and International Studies echoed that theme, noting “most of the internet relies on a handful of these super-infrastructure companies… These outages just show how reliant most critical infrastructure is, from daily commerce up to national security.”. Investor Benjamin Schilz (CEO of messaging app Wire) similarly argued that recent outages at AWS and Cloudflare demonstrate the need for “resilience, diversity, and redundancy” in internet architecture.
On social media and status forums, many users shared memes and frustrated posts. Some quipped about the irony of Downdetector going dark, others posted screenshots of “500 Internal Server Error” pages. Cloudflare’s own team maintained an open line on X, posting regular updates (“fix implemented, monitoring recovery” etc.). Cloudflare CTO Knecht personally tweeted apologies: “Earlier today we failed our customers and the broader Internet… We let you down,” he wrote, stressing a “breakdown in our bot mitigation service… not an attack” was to blame. By evening, after service was restored, public comments ranged from relief (“web back up!”) to criticism (“how can we trust one provider for so much of the net?”).
Comparison to Past Outages
While Cloudflare outages are rare, this event followed a pattern of major internet outages in 2025. Only weeks earlier, Amazon Web Services suffered a massive failure that downed thousands of sites (from social media to banking apps) in October 2025. Last month Microsoft’s Azure cloud had a brief outage affecting Office 365 and gaming services. Such cloud catastrophes are drawing attention from experts and regulators alike. In fact, commentators noted that Cloudflare’s network, much like big cloud providers, represents a “single point of failure” for many businesses. “This was not the biggest outage of recent years,” an Independent report noted, “but it felt very dramatic… [it] shows how reliant we’ve become on a few big players”.
Cloudflare itself acknowledged the gravity. In its post-mortem,m the company apologized and said the outage was “unacceptable,” promising to invest in fixes so it “does not happen again”. Customers and experts will be watching how Cloudflare follows through on those promises. For now, the November 18 outage serves as a vivid reminder of the internet’s interconnected fragility: when one critical node fails, ripples are felt around the world.