top | item 43548589

Tell HN: Camelgate NPM Outage (Cloudflare)

122 points| bavarianbob | 11 months ago

EDIT: Back online?!

NPM discussion: https://github.com/npm/cli/issues/8203

NPM incident: https://status.npmjs.org/incidents/hdtkrsqp134s

Cloudflare messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74

GitHub issue: https://github.com/sindresorhus/camelcase/issues/114

Anyone experiencing npm outage that's more than just the referenced camelcase package?

36 comments

tom_usher|11 months ago

Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.

That rule can be overridden if you're having this issue on your own site.

internetter|11 months ago

> any site using that will have URLs containing 'camel' blocked

What engineer at cloudflare thought this was a good resolution?

cbovis|11 months ago

Confirmed here: https://www.cloudflarestatus.com/incidents/gshczn1wxh74

oncallthrow|11 months ago

WAFs are so shit

Recursing|11 months ago

Any path with the word "camel" seem to trigger this: https://www.npmjs.com/search?q=camel | https://registry.npmjs.org/camel123 | https://registry.yarnpkg.com/camel456

Some discussion here https://github.com/npm/cli/issues/8203

Edit: this is resolved now https://status.npmjs.org/incidents/hdtkrsqp134s

pvg|11 months ago

This is not CF WAF's first rodeo https://news.ycombinator.com/item?id=20421538

Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.

lynnesbian|11 months ago

> a product that mostly doesn't do anything except for occasionally break the internet

I wouldn't say that. The postmortem you referred to links to another CloudFlare blog post - one about a pretty serious RCE vuln in Microsoft SharePoint that was blocked by their WAF: https://blog.cloudflare.com/stopping-cve-2019-0604/

AdamJacobMuller|11 months ago

I'm not sure why "WAF has false positives" makes it useless, nor would I say this is anywhere near the scale of "breaking the internet" and I'm not even fan of the concept of WAFs in general.

calvinmorrison|11 months ago

we've used it to rescue some vintage appliances that are basically unsecurable.

nwalters512|11 months ago

The npm folks have officially acknowledged an incident now: https://status.npmjs.org/incidents/hdtkrsqp134s

miyuru|11 months ago

Outsourcing WAF is a double-edged sword.

I would have thought a large company like GitHub or Microsoft can have their own WAF team for their apps.

(NPM is owned by GitHub, and GitHub is owned by Microsoft)

klysm|11 months ago

This is what you get when you buy security as an add-on product

troyvit|11 months ago

Some orgs can't afford not to.

mplanchard|11 months ago

Glad you posted something, thought I was going nuts

drusepth|11 months ago

Is this also why unpkg has been up and down all morning?

ycombinatrix|11 months ago

unpkg barely works even when there's no incident

unknown|11 months ago

[deleted]

time4tea|11 months ago

Scunthorpe problem

unknown|11 months ago

[deleted]

unknown|11 months ago

[deleted]