Tell HN: Camelgate NPM Outage (Cloudflare)
2 days ago
EDIT: Back online?!
NPM discussion: https://github.com/npm/cli/issues/8203
NPM incident: https://status.npmjs.org/incidents/hdtkrsqp134s
Cloudflare messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74
GitHub issue: https://github.com/sindresorhus/camelcase/issues/114
Anyone experiencing npm outage that's more than just the referenced camelcase package?
Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.
That rule can be overridden if you're having this issue on your own site.
> any site using that will have URLs containing 'camel' blocked
What engineer at cloudflare thought this was a good resolution?
I doubt the system is that simple. No one wrote a rule saying `if url.contains("camel") then block()` it's probably an unintended side-effect
6 replies →
[dead]
Confirmed here: https://www.cloudflarestatus.com/incidents/gshczn1wxh74
WAFs are so shit
WAFs are literally "a pile of regexes can secure my insecure software"
7 replies →
But are they less shit than the shitty software they filter traffic for?
Any path with the word "camel" seem to trigger this: https://www.npmjs.com/search?q=camel | https://registry.npmjs.org/camel123 | https://registry.yarnpkg.com/camel456
Some discussion here https://github.com/npm/cli/issues/8203
Edit: this is resolved now https://status.npmjs.org/incidents/hdtkrsqp134s
This is not CF WAF's first rodeo https://news.ycombinator.com/item?id=20421538
Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.
> a product that mostly doesn't do anything except for occasionally break the internet
I wouldn't say that. The postmortem you referred to links to another CloudFlare blog post - one about a pretty serious RCE vuln in Microsoft SharePoint that was blocked by their WAF: https://blog.cloudflare.com/stopping-cve-2019-0604/
I mean, it's hardly surprising CloudFlare will tell you this is a useful product. But it is to securing a web application what regex is to parsing HTML.
1 reply →
I'm not sure why "WAF has false positives" makes it useless, nor would I say this is anywhere near the scale of "breaking the internet" and I'm not even fan of the concept of WAFs in general.
The last one took out a lot more stuff than this one but the argument is the same - this product is a checkmark thing and when it's not fulfilling its checkmark purpose, it causes outages. Still an amusing bi-modality! I suppose it shares it with DNSSEC.
1 reply →
we've used it to rescue some vintage appliances that are basically unsecurable.
The npm folks have officially acknowledged an incident now: https://status.npmjs.org/incidents/hdtkrsqp134s
Outsourcing WAF is a double-edged sword.
I would have thought a large company like GitHub or Microsoft can have their own WAF team for their apps.
(NPM is owned by GitHub, and GitHub is owned by Microsoft)
This is what you get when you buy security as an add-on product
Some orgs can't afford not to.
Glad you posted something, thought I was going nuts
Scunthorpe problem
Is this also why unpkg has been up and down all morning?
unpkg barely works even when there's no incident