hngopher.com

       [HN Gopher] Camelgate NPM Outage (Cloudflare)
       ___________________________________________________________________
        
       Camelgate NPM Outage (Cloudflare)
        
       EDIT: Back online?!  NPM discussion:
       https://github.com/npm/cli/issues/8203  NPM incident:
       https://status.npmjs.org/incidents/hdtkrsqp134s  Cloudflare
       messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74
       GitHub issue: https://github.com/sindresorhus/camelcase/issues/114
       Anyone experiencing npm outage that's more than just the referenced
       camelcase package?
        
       Author : bavarianbob
       Score  : 78 points
       Date   : 2025-04-01 16:19 UTC (6 hours ago)
        
       | Recursing wrote:
       | Any path with the word "camel" seem to trigger this:
       | https://www.npmjs.com/search?q=camel |
       | https://registry.npmjs.org/camel123 |
       | https://registry.yarnpkg.com/camel456
       | 
       | Some discussion here https://github.com/npm/cli/issues/8203
       | 
       | Edit: this is resolved now
       | https://status.npmjs.org/incidents/hdtkrsqp134s
        
       | tom_usher wrote:
       | Seems to be a change in Cloudflare's managed WAF ruleset - any
       | site using that will have URLs containing 'camel' blocked due to
       | the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891'
       | (a9ec9cf625ff42769298671d1bbcd247) rule.
       | 
       | That rule can be overridden if you're having this issue on your
       | own site.
        
         | cbovis wrote:
         | Confirmed here:
         | https://www.cloudflarestatus.com/incidents/gshczn1wxh74
        
         | oncallthrow wrote:
         | WAFs are so shit
        
           | ronsor wrote:
           | WAFs are literally "a pile of regexes can secure my insecure
           | software"
        
             | mschuster91 wrote:
             | To be fair to WAFs, most are more than just a pile of
             | regexes. Things like detecting bot traffic - be it spammers
             | or AI scrapers - are valuable (ESPECIALLY the AI scraper
             | detection, because unlike search engines these things have
             | zero context recognition or respect for robots.txt and will
             | just happily go on and ingest very heavy endpoints), and
             | the large CDN/WAF providers can do it even better because
             | they can spot shit like automated port scanners, Metasploit
             | or similar skiddie tooling across all the services that use
             | them.
             | 
             | Honestly what I'd _love_ to see is AWS, GCE, Azure, Fastly,
             | Cloudflare and Akamai band together and share information
             | about such bad actors, compile evidence lists and file
             | abuse reports against their ISP - or in case the ISP is a
             | "bulletproof hoster" or certain enemy states, initiate
             | enforcement actors like governments to get these bad ISPs
             | disconnected from the Internet.
        
         | internetter wrote:
         | > any site using that will have URLs containing 'camel' blocked
         | 
         | What engineer at cloudflare thought this was a good resolution?
        
           | Raed667 wrote:
           | I doubt the system is that simple. No one wrote a rule saying
           | `if url.contains("camel") then block()` it's probably an
           | unintended side-effect
        
             | keithwhor wrote:
             | If this is a bet, I'll happily take the other side and give
             | you 4:1 on it.
        
               | dgfitz wrote:
               | Me too.
        
             | ycombinatrix wrote:
             | Akamai has been doing precisely that for years & years...
        
       | nwalters512 wrote:
       | The npm folks have officially acknowledged an incident now:
       | https://status.npmjs.org/incidents/hdtkrsqp134s
        
       | mplanchard wrote:
       | Glad you posted something, thought I was going nuts
        
       | klysm wrote:
       | This is what you get when you buy security as an add-on product
        
       | drusepth wrote:
       | Is this also why unpkg has been up and down all morning?
        
         | ycombinatrix wrote:
         | unpkg barely works even when there's no incident
        
       | pvg wrote:
       | This is not CF WAF's first rodeo
       | https://news.ycombinator.com/item?id=20421538
       | 
       | Cementing its track record as a product that mostly doesn't do
       | anything except for occasionally break the internet here and
       | there to keep things fun and interesting.
        
         | calvinmorrison wrote:
         | we've used it to rescue some vintage appliances that are
         | basically unsecurable.
        
         | AdamJacobMuller wrote:
         | I'm not sure why "WAF has false positives" makes it useless,
         | nor would I say this is anywhere near the scale of "breaking
         | the internet" and I'm not even fan of the concept of WAFs in
         | general.
        
           | pvg wrote:
           | The last one took out a lot more stuff than this one but the
           | argument is the same - this product is a checkmark thing and
           | when it's not fulfilling its checkmark purpose, it causes
           | outages. Still an amusing bi-modality! I suppose it shares it
           | with DNSSEC.
        
             | misiek08 wrote:
             | Basically CF default WAF settings saved more small and
             | medium companies I can even count to. I'm not CF fan, but
             | WAFs (with rate limiting) do help. Sad that one or two
             | incidents for that complicated and big services make people
             | post such comments, but cmon - it doesn't have AI in it's
             | name so sheeps have to cry, right?
        
       ___________________________________________________________________
       (page generated 2025-04-01 23:01 UTC)