Comment by tom_usher

Comment by tom_usher 3 days ago

20 replies

View on Hacker News

Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.

That rule can be overridden if you're having this issue on your own site.

internetter 3 days ago

> any site using that will have URLs containing 'camel' blocked

What engineer at cloudflare thought this was a good resolution?

Reply View 8 replies
  • Raed667 3 days ago

    I doubt the system is that simple. No one wrote a rule saying `if url.contains("camel") then block()` it's probably an unintended side-effect

    Reply View 6 replies
    • keithwhor 3 days ago

      If this is a bet, I'll happily take the other side and give you 4:1 on it.

      Reply View 1 reply
    • ycombinatrix 3 days ago

      Akamai has been doing precisely that for years & years...

      Reply View 2 replies
      • [removed] 3 days ago
        [deleted]
        Reply View 0 replies
      • benoau 3 days ago

        I think you can include advertising/privacy block lists in that vein too, although that allows for the users to locally-correct any issues.

        Reply View 0 replies
    • isbvhodnvemrwvn 2 days ago

      Judging by previous outages it was probably a poorly tested overcomplicated regex which matched to much.

      Reply View 0 replies
oncallthrow 3 days ago

WAFs are so shit

Reply View 9 replies
  • ronsor 3 days ago

    WAFs are literally "a pile of regexes can secure my insecure software"

    Reply View 7 replies
    • mschuster91 3 days ago

      To be fair to WAFs, most are more than just a pile of regexes. Things like detecting bot traffic - be it spammers or AI scrapers - are valuable (ESPECIALLY the AI scraper detection, because unlike search engines these things have zero context recognition or respect for robots.txt and will just happily go on and ingest very heavy endpoints), and the large CDN/WAF providers can do it even better because they can spot shit like automated port scanners, Metasploit or similar skiddie tooling across all the services that use them.

      Honestly what I'd _love_ to see is AWS, GCE, Azure, Fastly, Cloudflare and Akamai band together and share information about such bad actors, compile evidence lists and file abuse reports against their ISP - or in case the ISP is a "bulletproof hoster" or certain enemy states, initiate enforcement actors like governments to get these bad ISPs disconnected from the Internet.

      Reply View 3 replies
      • randunel 3 days ago

        Why would scrapes get blocked, is scrapping illegal?

        Reply View 2 replies
    • cluckindan 2 days ago

      They do mitigate known vulnerabilities.

      Reply View 2 replies
      • rcxdude 2 days ago

        They may mitigate known proofs of concept of vulnerabilities, and require a small amount of creativity to work around. At the cost of randomly breaking things.

        Reply View 1 reply
        • cluckindan a day ago

          That creativity takes time. WAFs are the first line of defence, buying some time for fixing the actual vulnerabilities.

          Reply View 0 replies
  • UltraSane 3 days ago

    But are they less shit than the shitty software they filter traffic for?

    Reply View 0 replies