<- Back
Comments (30)
- RecursingAny path with the word "camel" seem to trigger this: https://www.npmjs.com/search?q=camel | https://registry.npmjs.org/camel123 | https://registry.yarnpkg.com/camel456Some discussion here https://github.com/npm/cli/issues/8203Edit: this is resolved now https://status.npmjs.org/incidents/hdtkrsqp134s
- tom_usherSeems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.That rule can be overridden if you're having this issue on your own site.
- pvgThis is not CF WAF's first rodeo https://news.ycombinator.com/item?id=20421538Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.
- nwalters512The npm folks have officially acknowledged an incident now: https://status.npmjs.org/incidents/hdtkrsqp134s
- miyuruOutsourcing WAF is a double-edged sword.I would have thought a large company like GitHub or Microsoft can have their own WAF team for their apps.(NPM is owned by GitHub, and GitHub is owned by Microsoft)
- klysmThis is what you get when you buy security as an add-on product
- mplanchardGlad you posted something, thought I was going nuts
- drusepthIs this also why unpkg has been up and down all morning?
- anonundefined
- anonundefined
- anonundefined