Cloudflare has determined that a bug in its dashboard software triggered an overload of its own backend systems on 12 September 2025, knocking its Tenant Service API offline and disrupting many of its public APIs and its dashboard interface.
Engineers traced the failure to a React useEffect hook in the dashboard code which was supplied with a dependency array containing a mutable object. Because that object was recreated on every render, React treated it as constantly changing. That caused the hook to fire repeatedly during single renders, generating a flood of API calls. The Tenant Service API, responsible for authorising API requests, was unable to cope with the surge, leading to widespread availability failures.
The sequence of events shows compounding errors. At 16:32 UTC, the faulty dashboard update was released containing the mis-configured hook. At 17:50 UTC, an updated version of the Tenant Service API was deployed. Seven minutes later, at 17:57 UTC, the overload began, as the dashboard repeatedly hit the Tenant Service.
Cloudflare responded by increasing the number of “pods” available to the Tenant Service to improve capacity, and imposing a global rate limit to reduce the volume of requests. These steps helped restore some API availability, but the dashboard remained largely unavailable for some time. An attempted fix to error-handling code at around 18:58 UTC backfired, momentarily worsening errors before those changes were reverted. Full recovery of both dashboard and API services was achieved by 19:12 UTC.
Cloudflare emphasises that the issue affected its control plane—the systems managing configuration, dashboard, and management APIs—not the data plane which routes customer traffic. In practice, most end-users who do not use the dashboard for configuration were not affected.
Following the outage, Cloudflare announced a set of remediation measures. It plans to accelerate migration of the Tenant Service to use Argo Rollouts, a deployment tool that can detect faulty updates and automatically roll them back. The company also intends to add delays to dashboard retry logic to prevent spike-like traffic surges when services recover. The monitoring and alerting systems are being improved, including flags to distinguish new API requests from retries, which will help identify such runaway loops sooner.
Notice an issue?
Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don’t hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.