119 points bavarianbob | 3 comments | 01 Apr 25 16:19 UTC | HN request time: 0s | source

EDIT: Back online?!

NPM discussion: https://github.com/npm/cli/issues/8203

NPM incident: https://status.npmjs.org/incidents/hdtkrsqp134s

Cloudflare messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74

GitHub issue: https://github.com/sindresorhus/camelcase/issues/114

Anyone experiencing npm outage that's more than just the referenced camelcase package?

Show context

tom_usher ◴[01 Apr 25 16:38 UTC] No.43548817[source]▶

>>43548589 (OP) #

Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.

That rule can be overridden if you're having this issue on your own site.

replies(3): >>43549123 #>>43550078 #>>43550699 #

oncallthrow ◴[01 Apr 25 18:38 UTC] No.43550078[source]▶

>>43548817 #

WAFs are so shit

replies(2): >>43550728 #>>43552419 #

ronsor ◴[01 Apr 25 19:57 UTC] No.43550728[source]▶

>>43550078 #

WAFs are literally "a pile of regexes can secure my insecure software"

replies(2): >>43551360 #>>43555585 #

1. cluckindan ◴[02 Apr 25 11:26 UTC] No.43555585[source]▶

>>43550728 #

They do mitigate known vulnerabilities.

replies(1): >>43566888 #

2. rcxdude ◴[03 Apr 25 09:02 UTC] No.43566888[source]▶

>>43555585 (TP) #

They may mitigate known proofs of concept of vulnerabilities, and require a small amount of creativity to work around. At the cost of randomly breaking things.

replies(1): >>43568248 #

3. cluckindan ◴[03 Apr 25 11:47 UTC] No.43568248[source]▶

>>43566888 #

That creativity takes time. WAFs are the first line of defence, buying some time for fixing the actual vulnerabilities.

↑

Tell HN: Camelgate NPM Outage (Cloudflare)