---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Sep 30, 2025
1. ### [WARP client for Linux (version 2025.7.176.0)](https://developers.cloudflare.com/changelog/post/2025-09-30-warp-linux-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains minor fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/).

**Changes and improvements**

  * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles.
  * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving.
  * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client).
  * Improvements to maintain client connectivity during network changes.

**Known issues**

  * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server).

Sep 30, 2025
1. ### [Application granular controls for operations in SaaS applications](https://developers.cloudflare.com/changelog/post/2025-09-25-new-granular-controls-for-saas-applications/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies).  
The new feature offers two methods of controlling SaaS applications:

  * **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application.
  * **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function.  
Get started using [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls) and refer to the list of [supported applications](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/#compatible-applications).

Sep 29, 2025
1. ### [Regional Data in Cloudflare Radar](https://developers.cloudflare.com/changelog/post/2025-09-29-radar-regional-data/)  
[ Radar ](https://developers.cloudflare.com/radar/)  
[**Radar**](https://developers.cloudflare.com/radar/) now introduces Regional Data, providing traffic insights that bring a more localized perspective to the traffic trends shown on Radar.  
The following API endpoints are now available:

  * [Get Geolocation](https://developers.cloudflare.com/api/resources/radar/subresources/geolocations/methods/get/) \- Retrieves geolocation by `geoId`.
  * [List Geolocations](https://developers.cloudflare.com/api/resources/radar/subresources/geolocations/methods/list/) \- Lists geolocations.
  * [NetFlows Summary By Dimension](https://developers.cloudflare.com/api/resources/radar/subresources/netflows/methods/summary%5Fv2/) \- Retrieves NetFlows summary by dimension.  
All `summary` and `timeseries_groups` endpoints in [HTTP](https://developers.cloudflare.com/api/resources/radar/subresources/http/) and [NetFlows](https://developers.cloudflare.com/api/resources/radar/subresources/netflows/) now include an `adm1` dimension for grouping data by first level administrative division (for example, state, province, etc.)  
A new filter `geoId` was also added to all endpoints in [HTTP](https://developers.cloudflare.com/api/resources/radar/subresources/http/) and [NetFlows](https://developers.cloudflare.com/api/resources/radar/subresources/netflows/), allowing filtering by a specific administrative division.  
Check out the new Regional traffic insights on a country specific traffic page [new Radar page ↗](https://radar.cloudflare.com/traffic/pt).

Sep 29, 2025
1. ### [WAF Release - 2025-09-29](https://developers.cloudflare.com/changelog/post/2025-09-29-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week highlights four important vendor- and component-specific issues: an authentication bypass in SimpleHelp (CVE-2024-57727), an information-disclosure flaw in Flowise Cloud (CVE-2025-58434), an SSRF in the WordPress plugin Ditty (CVE-2025-8085), and a directory-traversal bug in Vite (CVE-2025-30208). These are paired with improvements to our generic detection coverage (SQLi, SSRF) to raise the baseline and reduce noisy gaps.

**Key Findings**

  * SimpleHelp (CVE-2024-57727): Authentication bypass in SimpleHelp that can allow unauthorized access to management interfaces or sessions.
  * Flowise Cloud (CVE-2025-58434): Information-disclosure vulnerability in Flowise Cloud that may expose sensitive configuration or user data to unauthenticated or low-privileged actors.
  * WordPress:Plugin: Ditty (CVE-2025-8085): SSRF in the Ditty WordPress plugin enabling server-side requests that could reach internal services or cloud metadata endpoints.
  * Vite (CVE-2025-30208): Directory-traversal vulnerability in Vite allowing access to filesystem paths outside the intended web root.

**Impact**  
These vulnerabilities allow attackers to gain access, escalate privileges, or execute actions that were previously unavailable:

  * SimpleHelp (CVE-2024-57727): An authentication bypass that can let unauthenticated attackers access management interfaces or hijack sessions — enabling lateral movement, credential theft, or privilege escalation within affected environments.
  * Flowise Cloud (CVE-2025-58434): Information-disclosure flaw that can expose sensitive configuration, tokens, or user data; leaked secrets may be chained into account takeover or privileged access to backend services.
  * WordPress:Plugin: Ditty (CVE-2025-8085): SSRF that enables server-side requests to internal services or cloud metadata endpoints, potentially allowing attackers to retrieve credentials or reach otherwise inaccessible infrastructure, leading to privilege escalation or cloud resource compromise.
  * Vite (CVE-2025-30208): Directory-traversal vulnerability that can expose filesystem contents outside the web root (configuration files, keys, source code), which attackers can use to escalate privileges or further compromise systems.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                 | Previous Action | New Action | Comments                                                                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------- | --------------- | ---------- | ----------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...8c2e30fb | 100717         | SimpleHelp - Auth Bypass - CVE:CVE-2024-57727               | Log             | Block      | This rule is merged to 100717 in legacy WAF and ...958094d3  in new WAF |
| Cloudflare Managed Ruleset | ...d58b886b | 100775         | Flowise Cloud - Information Disclosure - CVE:CVE-2025-58434 | Log             | Block      | This is a New Detection                                                 |
| Cloudflare Managed Ruleset | ...9bce1ff4 | 100881         | WordPress:Plugin:Ditty - SSRF - CVE:CVE-2025-8085           | Log             | Block      | This is a New Detection                                                 |
| Cloudflare Managed Ruleset | ...ddc329dd | 100887         | Vite - Directory Traversal - CVE:CVE-2025-30208             | Log             | Block      | This is a New Detection                                                 |

Sep 28, 2025
1. ### [WAF Release - 2025-09-28 - Emergency](https://developers.cloudflare.com/changelog/post/2025-09-28-emergency-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week highlights multiple critical Cisco vulnerabilities (CVE-2025-20363, CVE-2025-20333, CVE-2025-20362). This flaw stems from improper input validation in HTTP(S) requests. An authenticated VPN user could send crafted requests to execute code as root, potentially compromising the device.

**Key Findings**

  * Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Multiple vulnerabilities that could allow attackers to exploit unsafe deserialization and input validation flaws. Successful exploitation may result in arbitrary code execution, privilege escalation, or command injection on affected systems.

**Impact**  
Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                                                                                            | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...9ee0ab84 | 100788         | Cisco Secure Firewall Adaptive Security Appliance - Remote Code Execution - CVE:CVE-2025-20333, CVE:CVE-2025-20362, CVE:CVE-2025-20363 | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...d30f768e | 100788A        | Cisco Secure Firewall Adaptive Security Appliance - Remote Code Execution - CVE:CVE-2025-20333, CVE:CVE-2025-20362, CVE:CVE-2025-20363 | N/A             | Disabled   | This is a New Detection |

Sep 26, 2025
1. ### [WAF Release - 2025-09-26](https://developers.cloudflare.com/changelog/post/2025-09-26-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  

**Managed Ruleset Updated**  
This update introduces 11 new detections in the Cloudflare Managed Ruleset (all currently set to Disabled mode to preserve remediation logic and allow quick activation if needed). The rules cover a broad spectrum of threats - SQL injection techniques, command and code injection, information disclosure of common files, URL anomalies, and cross-site scripting.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                               | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...a67d8561 | 100859A        | SQLi - UNION - 3                          | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...4de80468 | 100889         | Command Injection - Generic 9             | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...f2be3ddf | 100890         | Information Disclosure - Common Files - 2 | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...80a252a8 | 100891         | Anomaly:URL - Relative Paths              | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...7e7d3865 | 100894         | XSS - Inline Function                     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...3792565c | 100895         | XSS - DOM                                 | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...42978e38 | 100896         | SQLi - MSSQL Length Enumeration           | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...3ab43f7e | 100897         | Generic Rules - Code Injection - 3        | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...c1686741 | 100898         | SQLi - Evasion                            | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...20999be0 | 100899         | SQLi - Probing 2                          | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...b4026c88 | 100900         | SQLi - Probing                            | N/A             | Disabled   | This is a New Detection |

Sep 26, 2025
1. ### [Automatic loopback bindings via ctx.exports](https://developers.cloudflare.com/changelog/post/2025-09-26-ctx-exports/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
The [ctx.exports API](https://developers.cloudflare.com/workers/runtime-apis/context/#exports) contains automatically-configured bindings corresponding to your Worker's top-level exports. For each top-level export extending `WorkerEntrypoint`, `ctx.exports` will contain a [Service Binding](https://developers.cloudflare.com/workers/runtime-apis/bindings/service-bindings) by the same name, and for each export extending `DurableObject` (and for which storage has been configured via a [migration](https://developers.cloudflare.com/durable-objects/reference/durable-objects-migrations/)), `ctx.exports` will contain a [Durable Object namespace binding](https://developers.cloudflare.com/durable-objects/api/namespace/). This means you no longer have to configure these bindings explicitly in `wrangler.jsonc`/`wrangler.toml`.  
Example:

**JavaScript**  
```js  
import { WorkerEntrypoint } from "cloudflare:workers";  
export class Greeter extends WorkerEntrypoint {  
  greet(name) {  
    return `Hello, ${name}!`;  
  }  
}  
export default {  
  async fetch(request, env, ctx) {  
    let greeting = await ctx.exports.Greeter.greet("World")  
    return new Response(greeting);  
  }  
}  
```  
At present, you must use [the enable\_ctx\_exports compatibility flag](https://developers.cloudflare.com/workers/configuration/compatibility-flags#enable-ctxexports) to enable this API, though it will be on by default in the future.  
[See the API reference for more information.](https://developers.cloudflare.com/workers/runtime-apis/context/#exports)

Sep 25, 2025
1. ### [Pipelines now supports SQL transformations and Apache Iceberg](https://developers.cloudflare.com/changelog/post/2025-09-25-pipelines-sql/)  
[ Pipelines ](https://developers.cloudflare.com/pipelines/)  
Today, we're launching the new [Cloudflare Pipelines](https://developers.cloudflare.com/pipelines/): a streaming data platform that ingests events, transforms them with [SQL](https://developers.cloudflare.com/pipelines/sql-reference/select-statements/), and writes to [R2](https://developers.cloudflare.com/r2/) as [Apache Iceberg ↗](https://iceberg.apache.org/) tables or Parquet files.  
Pipelines can receive events via [HTTP endpoints](https://developers.cloudflare.com/pipelines/streams/writing-to-streams/#send-via-http) or [Worker bindings](https://developers.cloudflare.com/pipelines/streams/writing-to-streams/#send-via-workers), transform them with SQL, and deliver to R2 with exactly-once guarantees. This makes it easy to build analytics-ready warehouses for server logs, mobile application events, IoT telemetry, or clickstream data without managing streaming infrastructure.  
For example, here's a pipeline that ingests clickstream events and filters out bot traffic while extracting domain information:  
```sql  
INSERT into events_table  
SELECT  
  user_id,  
  lower(event) AS event_type,  
  to_timestamp_micros(ts_us) AS event_time,  
  regexp_match(url, '^https?://([^/]+)')[1]  AS domain,  
  url,  
  referrer,  
  user_agent  
FROM events_json  
WHERE event = 'page_view'  
  AND NOT regexp_like(user_agent, '(?i)bot|spider');  
```  
Get started by creating a pipeline in the dashboard or running a single command in [Wrangler](https://developers.cloudflare.com/workers/wrangler/):  
```bash  
npx wrangler pipelines setup  
```  
Check out our [getting started guide](https://developers.cloudflare.com/pipelines/getting-started/) to learn how to create a pipeline that delivers events to an [Iceberg table](https://developers.cloudflare.com/r2/data-catalog/) you can query with R2 SQL. Read more about today's announcement in our [blog post ↗](https://blog.cloudflare.com/cloudflare-data-platform).

Sep 25, 2025
1. ### [Announcing R2 SQL](https://developers.cloudflare.com/changelog/post/2025-09-25-announcing-r2-sql-open-beta/)  
[ R2 SQL ](https://developers.cloudflare.com/r2-sql/)  
Today, we're launching the **open beta** for [R2 SQL](https://developers.cloudflare.com/r2-sql/): A serverless, distributed query engine that can efficiently analyze petabytes of data in [Apache Iceberg ↗](https://iceberg.apache.org/) tables managed by [R2 Data Catalog](https://developers.cloudflare.com/r2/data-catalog).  
R2 SQL is ideal for exploring analytical and time-series data stored in R2, such as logs, events from [Pipelines](https://developers.cloudflare.com/pipelines/), or clickstream and user behavior data.  
If you already have a table in R2 Data Catalog, running queries is as simple as:  
```bash  
npx wrangler r2 sql query YOUR_WAREHOUSE "  
SELECT  
    user_id,  
    event_type,  
    value  
FROM events.user_events  
WHERE event_type = 'CHANGELOG' or event_type = 'BLOG'  
  AND __ingest_ts > '2025-09-24T00:00:00Z'  
ORDER BY __ingest_ts DESC  
LIMIT 100"  
```  
To get started with R2 SQL, check out our [getting started guide](https://developers.cloudflare.com/r2-sql/get-started/) or learn more about supported features in the [SQL reference](https://developers.cloudflare.com/r2-sql/sql-reference/). For a technical deep dive into how we built R2 SQL, read our [blog post ↗](https://blog.cloudflare.com/r2-sql-deep-dive/).

Sep 25, 2025
1. ### [Browser Rendering Playwright GA, Stagehand support (Beta), and higher limits](https://developers.cloudflare.com/changelog/post/2025-09-25-br-playwright-ga-stagehand-limits/)  
[ Browser Run ](https://developers.cloudflare.com/browser-run/)  
We’re shipping three updates to Browser Rendering:

  * Playwright support is now Generally Available and synced with [Playwright v1.55 ↗](https://playwright.dev/docs/release-notes#version-155), giving you a stable foundation for critical automation and AI-agent workflows.
  * We’re also adding [Stagehand support (Beta)](https://developers.cloudflare.com/browser-run/stagehand/) so you can combine code with natural language instructions to build more resilient automations.
  * Finally, we’ve tripled [limits](https://developers.cloudflare.com/browser-run/limits/#workers-paid) for paid plans across both the [REST API](https://developers.cloudflare.com/browser-run/quick-actions/) and [Browser Sessions](https://developers.cloudflare.com/browser-run/#integration-methods) to help you scale.  
To get started with Stagehand, refer to the [Stagehand](https://developers.cloudflare.com/browser-run/stagehand/) example that uses Stagehand and [Workers AI](https://developers.cloudflare.com/workers-ai/) to search for a movie on this [example movie directory ↗](https://demo.playwright.dev/movies), extract its details using natural language (title, year, rating, duration, and genre), and return the information along with a screenshot of the webpage.

**Stagehand example**  
```ts  
const stagehand = new Stagehand({  
  env: "LOCAL",  
  localBrowserLaunchOptions: { cdpUrl: endpointURLString(env.BROWSER) },  
  llmClient: new WorkersAIClient(env.AI),  
  verbose: 1,  
});  
await stagehand.init();  
const page = stagehand.page;  
await page.goto("https://demo.playwright.dev/movies");  
// if search is a multi-step action, stagehand will return an array of actions it needs to act on  
const actions = await page.observe('Search for "Furiosa"');  
for (const action of actions) await page.act(action);  
await page.act("Click the search result");  
// normal playwright functions work as expected  
await page.waitForSelector(".info-wrapper .cast");  
let movieInfo = await page.extract({  
  instruction: "Extract movie information",  
  schema: z.object({  
    title: z.string(),  
    year: z.number(),  
    rating: z.number(),  
    genres: z.array(z.string()),  
    duration: z.number().describe("Duration in minutes"),  
  }),  
});  
await stagehand.close();  
```  
![Stagehand video](https://developers.cloudflare.com/images/browser-run/speedystagehand.gif)

Sep 25, 2025
1. ### [AI Search (formerly AutoRAG) now with More Models To Choose From](https://developers.cloudflare.com/changelog/post/2025-09-25-ai-search-more-models/)  
[ AI Search ](https://developers.cloudflare.com/ai-search/)  
AutoRAG is now AI Search! The new name marks a new and bigger mission: to make world-class search infrastructure available to every developer and business.  
With AI Search you can now use models from different providers like OpenAI and Anthropic. By attaching your provider keys to the AI Gateway linked to your AI Search instance, you can use many more models for both embedding and inference.  
To use AI Search with other [model providers](https://developers.cloudflare.com/ai-search/configuration/models/):

  1. **Add provider keys to AI Gateway**  
    1. Go to AI > AI Gateway in the dashboard.
    2. Select or create an AI gateway.
    3. In Provider Keys, choose your provider, click Add, and enter the key.
  2. **Connect a gateway to AI Search**: When creating a new AI Search, select the AI Gateway with your provider keys. For an existing AI Search, go to Settings and switch to a gateway that has your keys under Resources.
  3. **Select models**: Embedding models are only available to be changed when creating a new AI Search. Generation model can be selected when creating a new AI Search and can be changed at any time in Settings.  
Once configured, your AI Search instance will be able to reference models available through your AI Gateway when making a `/ai-search` request:

**JavaScript**  
```javascript  
export default {  
  async fetch(request, env) {  
    // Query your AI Search instance with a natural language question to an OpenAI model  
    const result = await env.AI.autorag("my-ai-search").aiSearch({  
      query: "What's new for Cloudflare Birthday Week?",  
      model: "openai/gpt-5"  
    });  
    // Return only the generated answer as plain text  
    return new Response(result.response, {  
      headers: { "Content-Type": "text/plain" },  
    });  
  },  
};  
```  
In the coming weeks we will also roll out updates to align the APIs with the new name. The existing APIs will continue to be supported for the time being. Stay tuned to the [AI Search Changelog](https://developers.cloudflare.com/changelog/product/ai-search/) and [Discord ↗](https://discord.cloudflare.com/) for more updates!

Sep 25, 2025
1. ### [Run more Containers with higher resource limits](https://developers.cloudflare.com/changelog/post/2025-09-24-higher-container-resource-limits/)  
[ Containers ](https://developers.cloudflare.com/containers/)  
You can now run more Containers concurrently with higher limits on CPU, memory, and disk.

| Limit                                          | New Limit | Previous Limit |
| ---------------------------------------------- | --------- | -------------- |
| Memory for concurrent live Container instances | 400GiB    | 40GiB          |
| vCPU for concurrent live Container instances   | 100       | 20             |
| Disk for concurrent live Container instances   | 2TB       | 100GB          |  
You can now run 1000 instances of the `dev` instance type, 400 instances of `basic`, or 100 instances of `standard` concurrently.  
This opens up new possibilities for running larger-scale workloads on Containers.  
See the [getting started guide](https://developers.cloudflare.com/containers/get-started/) to deploy your first Container, and the [limits documentation](https://developers.cloudflare.com/containers/platform-details/limits/) for more details on the available instance types and limits.

Sep 25, 2025
1. ### [Refine DLP Scans with New Body Phase Selector](https://developers.cloudflare.com/changelog/post/2025-09-25-body-phase-selector/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)  
You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows.  
In the Gateway HTTP policy builder, you will find a new selector called _Body Phase_. This allows you to define the direction of traffic the DLP engine will inspect:

  * _Request Body_: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts.
  * _Response Body_: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data.  
For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the **Body Phase** to _Request Body_, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself.  
All policies without this selector will continue to scan both request and response bodies to ensure continued protection.  
For more information, refer to [Gateway HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#body-phase).

Sep 25, 2025
1. ### [Sign in with GitHub](https://developers.cloudflare.com/changelog/post/2025-09-25-sign-in-with-github/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
Cloudflare has launched sign in with GitHub as a log in option. This feature is available to all users with a verified email address who are not using SSO. To use it, simply click on the `Sign in with GitHub` button on the dashboard login page. You will be logged in with your primary GitHub email address.  
#### For more information

  * [Log in to Cloudflare](https://developers.cloudflare.com/fundamentals/user-profiles/login/)

Sep 25, 2025
1. ### [SSO for all](https://developers.cloudflare.com/changelog/post/2025-09-25-sso-for-all/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
Single sign-on (SSO) streamlines the process of logging into Cloudflare for Enterprise customers who manage a custom email domain and manage their own identity provider. Instead of managing a password and two-factor authentication credentials directly for Cloudflare, SSO lets you reuse your existing login infrastructure to seamlessly log in. SSO also provides additional security opportunities such as device health checks which are not available natively within Cloudflare.  
Historically, SSO was only available for Enterprise accounts. Today, we are announcing that we are making SSO available to all users for free. We have also added the ability to directly manage SSO configurations using the API. This removes the previous requirement to contact support to configure SSO.  
#### For more information

  * [Every Cloudflare feature, available to all ↗](https://blog.cloudflare.com/enterprise-grade-features-for-all/)
  * [Configure Dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/)

Sep 25, 2025
1. ### [R2 Data Catalog now supports compaction](https://developers.cloudflare.com/changelog/post/2025-09-25-data-catalog-compaction/)  
[ R2 ](https://developers.cloudflare.com/r2/)  
You can now enable automatic compaction for [Apache Iceberg ↗](https://iceberg.apache.org/) tables in [R2 Data Catalog](https://developers.cloudflare.com/r2/data-catalog/) to improve query performance.  
Compaction is the process of taking a group of small files and combining them into fewer larger files. This is an important maintenance operation as it helps ensure that query performance remains consistent by reducing the number of files that needs to be scanned.  
To enable automatic compaction in R2 Data Catalog, find it under **R2 Data Catalog** in your R2 bucket settings in the dashboard.  
![compaction-dash](https://developers.cloudflare.com/_astro/compaction.MLojYuHL_wkqll.webp)  
Or with [Wrangler](https://developers.cloudflare.com/workers/wrangler/), run:  
```bash  
npx wrangler r2 bucket catalog compaction enable <BUCKET_NAME>  --target-size 128 --token <API_TOKEN>  
```  
To get started with compaction, check out [manage catalogs](https://developers.cloudflare.com/r2/data-catalog/manage-catalogs/). For best practices and limitations, refer to [about compaction](https://developers.cloudflare.com/r2/data-catalog/table-maintenance/).

Sep 24, 2025
1. ### [WAF Release - 2025-09-24 - Emergency](https://developers.cloudflare.com/changelog/post/2025-09-24-emergency-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week highlights a critical vendor-specific vulnerability: a deserialization flaw in the License Servlet of Fortra’s GoAnywhere MFT. By forging a license response signature, an attacker can trigger deserialization of arbitrary objects, potentially leading to command injection.

**Key Findings**

  * GoAnywhere MFT (CVE-2025-10035): Deserialization vulnerability in the License Servlet that allows attackers with a forged license response signature to deserialize arbitrary objects, potentially resulting in command injection.

**Impact**  
GoAnywhere MFT (CVE-2025-10035): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                          | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ---------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...e08b39f3 | 100787         | Fortra GoAnywhere - Auth Bypass - CVE:CVE-2025-10035 | N/A             | Block      | This is a New Detection |

Sep 23, 2025
1. ### [Invalid Submissions Feedback](https://developers.cloudflare.com/changelog/post/2025-09-23-invalid-submissions/)  
[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)  
Email security relies on your submissions to continuously improve our detection models. However, we often receive submissions in formats that cannot be ingested, such as incomplete EMLs, screenshots, or text files.  
To ensure all customer feedback is actionable, we have launched two new features to manage invalid submissions sent to our team and user [submission aliases](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/):

  * **Email Notifications:** We now automatically notify users by email when they provide an invalid submission, educating them on the correct format. To disable notifications, go to **[Settings ↗](https://one.dash.cloudflare.com/?to=/:account/email-security/settings)** \> **Invalid submission emails** and turn the feature off.  
![EmailSec-Invalid-Submissions-Toggle](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Toggle.DXjbR6aX_ZsxWGB.webp)  
  * **Invalid Submission dashboard:** You can quickly identify which users need education to provide valid submissions so Cloudflare can provide continuous protection.  
![EmailSec-Invalid-Submissions-Dashboard](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Dashboard.zuf1on2n_2gjnGS.webp)  
Learn more about this feature on [invalid submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/invalid-submissions/).  
This feature is available across these Email security packages:

  * **Advantage**
  * **Enterprise**
  * **Enterprise + PhishGuard**

Sep 23, 2025
1. ### [Improved support for running multiple Workers with \`wrangler dev\`](https://developers.cloudflare.com/changelog/post/2025-09-23-wrangler-dev-multi-config-cross-command-support/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can run multiple Workers in a single dev command by passing multiple config files to `wrangler dev`:  
```sh  
wrangler dev --config ./web/wrangler.jsonc --config ./api/wrangler.jsonc  
```  
Previously, if you ran the command above and then also ran wrangler dev for a different Worker, the Workers running in separate wrangler dev sessions could not communicate with each other. This prevented you from being able to use [Service Bindings ↗](https://developers.cloudflare.com/workers/runtime-apis/bindings/service-bindings/) and [Tail Workers ↗](https://developers.cloudflare.com/workers/observability/logs/tail-workers/) in local development, when running separate wrangler dev sessions.  
Now, the following works as expected:  
```sh  
# Terminal 1: Run your application that includes both Web and API workers  
wrangler dev --config ./web/wrangler.jsonc --config ./api/wrangler.jsonc  
# Terminal 2: Run your auth worker separately  
wrangler dev --config ./auth/wrangler.jsonc  
```  
These Workers can now communicate with each other across separate dev commands, regardless of your development setup.

**./api/src/index.ts**  
```js  
export default {  
  async fetch(request, env) {  
    // This service binding call now works across dev commands  
    const authorized = await env.AUTH.isAuthorized(request);  
    if (!authorized) {  
      return new Response("Unauthorized", { status: 401 });  
    }  
    return new Response("Hello from API Worker!", { status: 200 });  
  },  
};  
```  
Check out the [Developing with multiple Workers](https://developers.cloudflare.com/workers/local-development/multi-workers) guide to learn more about the different approaches and when to use each one.

Sep 22, 2025
1. ### [Access Remote Desktop Protocol (RDP) destinations securely from your browser — now generally available!](https://developers.cloudflare.com/changelog/post/2025-09-22-browser-based-rdp-ga/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
[Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.  
Since we announced our [open beta](https://developers.cloudflare.com/changelog/access/#2025-06-30), we've made a few improvements:

  * Support for targets with IPv6.
  * Support for [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) as on-ramps.
  * More robust error messaging on the login page to help you if you encounter an issue.
  * Worldwide keyboard support. Whether your day-to-day is in Portuguese, Chinese, or something in between, your browser-based RDP experience will look and feel exactly like you are using a desktop RDP client.
  * Cleaned up some other miscellaneous issues, including but not limited to enhanced support for Entra ID accounts and support for usernames with spaces, quotes, and special characters.  
As a refresher, here are some benefits browser-based RDP provides:

  * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies.
  * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event.
  * **Eliminate the need to install and manage software on user devices**. You will only need a web browser.
  * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks.  
![Example of a browser-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp)  
To get started, refer to [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/).

Sep 22, 2025
1. ### [WAF Release - 2025-09-22](https://developers.cloudflare.com/changelog/post/2025-09-22-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week emphasizes two critical vendor-specific vulnerabilities: a full elevation-of-privilege in Microsoft Azure Networking (CVE-2025-54914) and a server-side template injection (SSTI) leading to remote code execution (RCE) in Skyvern (CVE-2025-49619). These are complemented by enhancements in generic detections (SQLi, SSRF) to improve baseline coverage.

**Key Findings**

  * Azure (CVE-2025-54914): Vulnerability in Azure Networking allowing elevation of privileges.
  * Skyvern (CVE-2025-49619): Skyvern ≤ 0.1.85 has a server-side template injection (SSTI) vulnerability in its Prompt field (workflow blocks) via Jinja2\. Authenticated users with low privileges can get remote code execution (blind).
  * Generic SQLi / SSRF improvements: Expanded rule coverage to detect obfuscated SQL injection patterns and SSRF across host, local, and cloud contexts.

**Impact**  
These vulnerabilities allow attackers to escalate privileges or execute code under conditions where previously they could not:

  * Azure CVE-2025-54914 enables an attacker from the network with no credentials to gain high-level access within Azure Networking; could lead to full compromise of networking components.
  * Skyvern CVE-2025-49619 allows authenticated users with minimal privilege to exploit SSTI for remote code execution, undermining isolation of workflow components.
  * The improvements for SQLi and SSRF reduce risk from common injection and request-based attacks.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                 | Previous Action | New Action | Comments                                                             |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------- | --------------- | ---------- | -------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...6a135cbf | 100146         | SSRF - Host - 2                                             | Log             | Disabled   | This is a New Detection                                              |
| Cloudflare Managed Ruleset | ...57035abf | 100146B        | SSRF - Local - 2                                            | Log             | Disabled   | This is a New Detection                                              |
| Cloudflare Managed Ruleset | ...bbe18d50 | 100146C        | SSRF - Cloud - 2                                            | Log             | Disabled   | This is a New Detection                                              |
| Cloudflare Managed Ruleset | ...956c1961 | 100714         | Azure - Auth Bypass - CVE:CVE-2025-54914                    | Log             | Block      | This is a New Detection                                              |
| Cloudflare Managed Ruleset | ...c5ced231 | 100758         | Skyvern - Remote Code Execution - CVE:CVE-2025-49619        | Log             | Block      | This is a New Detection                                              |
| Cloudflare Managed Ruleset | ...84a619a1 | 100773         | Next.js - SSRF                                              | Log             | Block      | This is a New Detection                                              |
| Cloudflare Managed Ruleset | ...983ff2dd | 100774         | Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236 | Log             | Block      | This is a New Detection                                              |
| Cloudflare Managed Ruleset | ...0380a1a6 | 100800\_BETA   | SQLi - Obfuscated Boolean - Beta                            | Log             | Block      | This rule has been merged into the original rule (ID: ...5563445f  ) |

Sep 19, 2025
1. ### [New Metrics View in AutoRAG](https://developers.cloudflare.com/changelog/post/2025-09-19-autorag-metrics/)  
[ AI Search ](https://developers.cloudflare.com/ai-search/)  
[AutoRAG](https://developers.cloudflare.com/ai-search/) now includes a **Metrics** tab that shows how your data is indexed and searched. Get a clear view of the health of your indexing pipeline, compare usage between `ai-search` and `search`, and see which files are retrieved most often.  
![Metrics](https://developers.cloudflare.com/_astro/metrics.BBUwKIos_zR8bd.webp)  
You can find these metrics within each AutoRAG instance:

  * Indexing: Track how files are ingested and see status changes over time.
  * Search breakdown: Compare usage between `ai-search` and `search` endpoints.
  * Top file retrievals: Identify which files are most frequently retrieved in a given period.  
Try it today in [AutoRAG](https://developers.cloudflare.com/ai-search/get-started/).

Sep 19, 2025
1. ### [Rate Limiting in Workers is now GA](https://developers.cloudflare.com/changelog/post/2025-09-19-ratelimit-workers-ga/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
[Rate Limiting within Cloudflare Workers](https://developers.cloudflare.com/workers/runtime-apis/bindings/rate-limit/) is now Generally Available (GA).  
The `ratelimit` binding is now stable and recommended for all production workloads. Existing deployments using the unsafe binding will continue to function to allow for a smooth transition.  
For more details, refer to [Workers Rate Limiting](https://developers.cloudflare.com/workers/runtime-apis/bindings/rate-limit/) documentation.

Sep 19, 2025
1. ### [Panic Recovery for Rust Workers](https://developers.cloudflare.com/changelog/post/2025-09-19-workers-rs-panic-recovery/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
In [workers-rs ↗](https://github.com/cloudflare/workers-rs), Rust panics were previously non-recoverable. A panic would put the Worker into an invalid state, and further function calls could result in memory overflows or exceptions.  
Now, when a panic occurs, in-flight requests will throw 500 errors, but the Worker will automatically and instantly recover for future requests.  
This ensures more reliable deployments. Automatic panic recovery is enabled for all new workers-rs deployments as of version 0.6.5, with no configuration required.  
#### Fixing Rust Panics with Wasm Bindgen  
Rust Workers are built with Wasm Bindgen, which treats panics as non-recoverable. After a panic, the entire Wasm application is considered to be in an invalid state.  
We now attach a default panic handler in Rust:  
```rust  
std::panic::set_hook(Box::new(move |panic_info| {  
  hook_impl(panic_info);  
}));  
```  
Which is registered by default in the JS initialization:

**JavaScript**  
```js  
import { setPanicHook } from "./index.js";  
setPanicHook(function (err) {  
  console.error("Panic handler!", err);  
});  
```  
When a panic occurs, we reset the Wasm state to revert the Wasm application to how it was when the application started.  
#### Resetting VM State in Wasm Bindgen  
We worked upstream on the Wasm Bindgen project to implement a new [\--experimental-reset-state-function compilation option ↗](https://github.com/wasm-bindgen/wasm-bindgen/pull/4644) which outputs a new `__wbg_reset_state` function.  
This function clears all internal state related to the Wasm VM, and updates all function bindings in place to reference the new WebAssembly instance.  
One other necessary change here was associating Wasm-created JS objects with an instance identity. If a JS object created by an earlier instance is then passed into a new instance later on, a new "stale object" error is specially thrown when using this feature.  
#### Layered Solution  
Building on this new Wasm Bindgen feature, layered with our new default panic handler, we also added a proxy wrapper to ensure all top-level exported class instantiations (such as for Rust Durable Objects) are tracked and fully reinitialized when resetting the Wasm instance. This was necessary because the workerd runtime will instantiate exported classes, which would then be associated with the Wasm instance.  
This approach now provides full panic recovery for Rust Workers on subsequent requests.  
Of course, we never want panics, but when they do happen they are isolated and can be investigated further from the error logs - avoiding broader service disruption.  
#### WebAssembly Exception Handling  
In the future, full support for recoverable panics could be implemented without needing reinitialization at all, utilizing the [WebAssembly Exception Handling ↗](https://github.com/WebAssembly/exception-handling/blob/main/proposals/exception-handling/Exceptions.md)proposal, part of the newly announced [WebAssembly 3.0 ↗](https://webassembly.org/news/2025-09-17-wasm-3.0/) specification. This would allow unwinding panics as normal JS errors, and concurrent requests would no longer fail.

**We're making significant improvements to the reliability of [Rust Workers ↗](https://github.com/cloudflare/workers-rs). Join us in `#rust-on-workers` on the [Cloudflare Developers Discord ↗](https://discord.gg/cloudflaredev) to stay updated.**

Sep 18, 2025
1. ### [Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel](https://developers.cloudflare.com/changelog/post/2025-09-18-tunnel-hostname-routing/)  
[ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)  
You can now route private traffic to [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is **free for all Cloudflare One customers**.  
Previously, Tunnel routes could only be defined by IP address or [CIDR range](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists.  
![Hostname-based routing in Cloudflare Tunnel](https://developers.cloudflare.com/_astro/tunnel-hostname-routing.DSi8MP_7_Z1E6Ym4.webp)  

**What’s new:**

  * **Hostname & Domain Routing**: Create routes for individual hostnames (e.g., `payroll.acme.local`) or entire domains (e.g., `*.acme.local`) and direct their traffic to a specific Tunnel.
  * **Simplified Zero Trust Policies**: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications.
  * **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services.
  * **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete.  
Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route.  
Learn more in our [blog post ↗](https://blog.cloudflare.com/tunnel-hostname-routing/).

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/25/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/25/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
