←back to thread

Tell HN: Camelgate NPM Outage (Cloudflare)

119 points bavarianbob | 7 comments | 01 Apr 25 16:19 UTC | HN request time: 0.829s | source | bottom

EDIT: Back online?!

NPM discussion: https://github.com/npm/cli/issues/8203

NPM incident: https://status.npmjs.org/incidents/hdtkrsqp134s

Cloudflare messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74

GitHub issue: https://github.com/sindresorhus/camelcase/issues/114

Anyone experiencing npm outage that's more than just the referenced camelcase package?

Show context
tom_usher ◴[01 Apr 25 16:38 UTC] No.43548817[source]
Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.

That rule can be overridden if you're having this issue on your own site.

replies(3): >>43549123 #>>43550078 #>>43550699 #
internetter ◴[01 Apr 25 19:52 UTC] No.43550699[source]
> any site using that will have URLs containing 'camel' blocked

What engineer at cloudflare thought this was a good resolution?

replies(2): >>43550780 #>>43553343 #
1. Raed667 ◴[01 Apr 25 20:03 UTC] No.43550780[source]
I doubt the system is that simple. No one wrote a rule saying `if url.contains("camel") then block()` it's probably an unintended side-effect
replies(3): >>43551463 #>>43551871 #>>43558525 #
2. keithwhor ◴[01 Apr 25 21:19 UTC] No.43551463[source]
If this is a bet, I'll happily take the other side and give you 4:1 on it.
replies(1): >>43551525 #
3. dgfitz ◴[01 Apr 25 21:28 UTC] No.43551525[source]
Me too.
4. ycombinatrix ◴[01 Apr 25 22:13 UTC] No.43551871[source]
Akamai has been doing precisely that for years & years...
replies(2): >>43551942 #>>43552682 #
5. ◴[01 Apr 25 22:23 UTC] No.43551942[source]
6. benoau ◴[02 Apr 25 00:36 UTC] No.43552682[source]
I think you can include advertising/privacy block lists in that vein too, although that allows for the users to locally-correct any issues.
7. isbvhodnvemrwvn ◴[02 Apr 25 16:34 UTC] No.43558525[source]
Judging by previous outages it was probably a poorly tested overcomplicated regex which matched to much.