119 points bavarianbob | 1 comments | 01 Apr 25 16:19 UTC | HN request time: 0.371s | source

EDIT: Back online?!

NPM discussion: https://github.com/npm/cli/issues/8203

NPM incident: https://status.npmjs.org/incidents/hdtkrsqp134s

Cloudflare messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74

GitHub issue: https://github.com/sindresorhus/camelcase/issues/114

Anyone experiencing npm outage that's more than just the referenced camelcase package?

Show context

tom_usher ◴[01 Apr 25 16:38 UTC] No.43548817[source]▶

>>43548589 (OP) #

Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.

That rule can be overridden if you're having this issue on your own site.

replies(3): >>43549123 #>>43550078 #>>43550699 #

internetter ◴[01 Apr 25 19:52 UTC] No.43550699[source]▶

>>43548817 #

> any site using that will have URLs containing 'camel' blocked

What engineer at cloudflare thought this was a good resolution?

replies(2): >>43550780 #>>43553343 #

Raed667 ◴[01 Apr 25 20:03 UTC] No.43550780[source]▶

>>43550699 #

I doubt the system is that simple. No one wrote a rule saying `if url.contains("camel") then block()` it's probably an unintended side-effect

replies(3): >>43551463 #>>43551871 #>>43558525 #

ycombinatrix ◴[01 Apr 25 22:13 UTC] No.43551871[source]▶

>>43550780 #

Akamai has been doing precisely that for years & years...

replies(2): >>43551942 #>>43552682 #

1. benoau ◴[02 Apr 25 00:36 UTC] No.43552682[source]▶

>>43551871 #

I think you can include advertising/privacy block lists in that vein too, although that allows for the users to locally-correct any issues.

↑

Tell HN: Camelgate NPM Outage (Cloudflare)