How a Single React useEffect Bug Took Down Cloudflare

On September 12, 2025, Cloudflare — the company famous for protecting the internet from DDoS attacks suffered a global outage.

Ironically, it wasn’t caused by hackers.

It wasn’t caused by some nation-state exploit.

It was caused by one React useEffect bug in their dashboard.

That’s right. The same company that sells protection against distributed denial-of-service (DDoS) attacks ended up DDoSing itself.

This isn’t just funny. It’s terrifying. And it should make every developer rethink how small frontend mistakes can trigger global infrastructure failures.

The Bug That Started It All

Here’s the snippet at the center of the storm:

useEffect(() => {
  fetchTenantData(configObject)
}, [configObject])

Looks innocent, right? But here’s the trap:

• configObject was being recreated every render.
• React compares object references, not values.
• New reference on each render = React thinks it’s changed.
• That means the effect re-runs on every render.