---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Jun 30, 2025
1. ### [Mail authentication requirements for Email Routing](https://developers.cloudflare.com/changelog/post/2025-06-30-mail-authentication/)  
[ Email Service ](https://developers.cloudflare.com/email-service/)  
The Email Routing platform supports [SPF ↗](https://datatracker.ietf.org/doc/html/rfc7208) records and [DKIM (DomainKeys Identified Mail) ↗](https://en.wikipedia.org/wiki/DomainKeys%5FIdentified%5FMail) signatures and honors these protocols when the sending domain has them configured. However, if the sending domain doesn't implement them, we still forward the emails to upstream mailbox providers.  
Starting on July 3, 2025, we will require all emails to be authenticated using at least one of the protocols, SPF or DKIM, to forward them. We also strongly recommend that all senders implement the DMARC protocol.  
If you are using a Worker with an Email trigger to receive email messages and forward them upstream, you will need to handle the case where the forward action may fail due to missing authentication on the incoming email.  
SPAM has been a long-standing issue with email. By enforcing mail authentication, we will increase the efficiency of identifying abusive senders and blocking bad emails. If you're an email server delivering emails to large mailbox providers, it's likely you already use these protocols; otherwise, please ensure you have them properly configured.

Jun 30, 2025
1. ### [Graceful withdrawal of BYOIP prefixes](https://developers.cloudflare.com/changelog/post/2025-06-30-graceful-byoip-withdrawal/)  
[ Magic Transit ](https://developers.cloudflare.com/magic-transit/)  
Magic Transit customers can now configure AS prepending on their BYOIP prefixes advertised at the Cloudflare edge. This allows for smoother traffic migration and minimizes packet loss when changing providers.  
AS prepending makes the Cloudflare route less preferred by increasing the AS path length. You can use this to gradually shift traffic away from Cloudflare before withdrawing a prefix, avoiding abrupt routing changes.  
Prepending can be configured via the API or through BGP community values when peering with the Magic Transit routing table. For more information, refer to [Advertise prefixes](https://developers.cloudflare.com/magic-transit/how-to/advertise-prefixes/).

Jun 30, 2025
1. ### [Remote bindings (beta) now works with Next.js — connect to remote resources (D1, KV, R2, etc.) during local development](https://developers.cloudflare.com/changelog/post/2025-06-25-getplatformproxy-support-remote-bindings/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
We [recently announced ↗](https://github.com/cloudflare/workers-sdk/discussions/9660) our public beta for [remote bindings](https://developers.cloudflare.com/workers/local-development/#remote-bindings), which allow you to connect to deployed resources running on your Cloudflare account (like [R2 buckets](https://developers.cloudflare.com/r2) or [D1 databases](https://developers.cloudflare.com/d1)) while running a local development session.  
Now, you can use remote bindings with your Next.js applications through the [@opennextjs/cloudflare adaptor ↗](https://opennext.js.org/cloudflare/bindings#remote-bindings) by enabling the experimental feature in your `next.config.ts`:  
```  
initOpenNextCloudflareForDev();initOpenNextCloudflareForDev({ experimental: { remoteBindings: true }});  
```  
Then, all you have to do is specify which bindings you want connected to the deployed resource on your Cloudflare account via the `experimental_remote` flag in your binding definition:

  * [  wrangler.jsonc ](#tab-panel-4869)
  * [  wrangler.toml ](#tab-panel-4870)  
JSONC  
```  
{  "r2_buckets": [    {      "bucket_name": "testing-bucket",      "binding": "MY_BUCKET",      "experimental_remote": true,    },  ],}  
```  
TOML  
```  
[[r2_buckets]]bucket_name = "testing-bucket"binding = "MY_BUCKET"experimental_remote = true  
```  
You can then run `next dev` to start a local development session (or start a preview with `opennextjs-cloudflare preview`), and all requests to `env.MY_BUCKET` will be proxied to the remote `testing-bucket` — rather than the [default local binding simulations](https://developers.cloudflare.com/workers/local-development/#bindings-during-local-development).  
#### Remote bindings & ISR  
Remote bindings are also used during the build process, which comes with significant benefits for pages using [Incremental Static Regeneration (ISR) ↗](https://opennext.js.org/aws/inner%5Fworkings/components/server/node#isrssg). During the build step for an ISR page, your server executes the page's code just as it would for normal user requests. If a page needs data to display (like fetching user info from [KV](https://developers.cloudflare.com/kv)), those requests are actually made. The server then uses this fetched data to render the final HTML.  
Data fetching is a critical part of this process, as the finished HTML is only as good as the data it was built with. If the build process can't fetch real data, you end up with a pre-rendered page that's empty or incomplete.

**With remote bindings support in OpenNext,** your pre-rendered pages are built with real data from the start. The build process uses any configured remote bindings, and any data fetching occurs against the deployed resources on your Cloudflare account.

**Want to learn more?** Get started with [remote bindings and OpenNext ↗](https://opennext.js.org/cloudflare/bindings#remote-bindings).

**Have feedback?** Join the discussion in our [beta announcement ↗](https://github.com/cloudflare/workers-sdk/discussions/9660) to share feedback or report any issues.

Jun 26, 2025
1. ### [Run and connect Workers in separate dev commands with the Cloudflare Vite plugin](https://developers.cloudflare.com/changelog/post/2025-06-26-vite-plugin-cross-commands-binding/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
Workers can now talk to each other across separate dev commands using service bindings and tail consumers, whether started with `vite dev` or `wrangler dev`.  
Simply start each Worker in its own terminal:  
Terminal window  
```  
# Terminal 1vite dev  
# Terminal 2wrangler dev  
```  
This is useful when different teams maintain different Workers, or when each Worker has its own build setup or tooling.  
Check out the [Developing with multiple Workers](https://developers.cloudflare.com/workers/local-development/multi-workers) guide to learn more about the different approaches and when to use each one.

Jun 25, 2025
1. ### [Run AI-generated code on-demand with Code Sandboxes (new)](https://developers.cloudflare.com/changelog/post/2025-06-24-announcing-sandboxes/)  
[ Agents ](https://developers.cloudflare.com/agents/)[ Workers ](https://developers.cloudflare.com/workers/)[ Workflows ](https://developers.cloudflare.com/workflows/)  
AI is supercharging app development for everyone, but we need a safe way to run untrusted, LLM-written code. We’re introducing [Sandboxes ↗](https://www.npmjs.com/package/@cloudflare/sandbox), which let your Worker run actual processes in a secure, container-based environment.  
TypeScript  
```  
import { getSandbox } from "@cloudflare/sandbox";export { Sandbox } from "@cloudflare/sandbox";  
export default {  async fetch(request: Request, env: Env) {    const sandbox = getSandbox(env.Sandbox, "my-sandbox");    return sandbox.exec("ls", ["-la"]);  },};  
```  
#### Methods

  * `exec(command: string, args: string[], options?: { stream?: boolean })`:Execute a command in the sandbox.
  * `gitCheckout(repoUrl: string, options: { branch?: string; targetDir?: string; stream?: boolean })`: Checkout a git repository in the sandbox.
  * `mkdir(path: string, options: { recursive?: boolean; stream?: boolean })`: Create a directory in the sandbox.
  * `writeFile(path: string, content: string, options: { encoding?: string; stream?: boolean })`: Write content to a file in the sandbox.
  * `readFile(path: string, options: { encoding?: string; stream?: boolean })`: Read content from a file in the sandbox.
  * `deleteFile(path: string, options?: { stream?: boolean })`: Delete a file from the sandbox.
  * `renameFile(oldPath: string, newPath: string, options?: { stream?: boolean })`: Rename a file in the sandbox.
  * `moveFile(sourcePath: string, destinationPath: string, options?: { stream?: boolean })`: Move a file from one location to another in the sandbox.
  * `ping()`: Ping the sandbox.  
Sandboxes are still experimental. We're using them to explore how isolated, container-like workloads might scale on Cloudflare — and to help define the developer experience around them.  
You can try it today from your Worker, with just a few lines of code. Let us know what you build.

Jun 25, 2025
1. ### [@cloudflare/actors library - SDK for Durable Objects in beta](https://developers.cloudflare.com/changelog/post/2025-06-25-actors-package-alpha/)  
[ Durable Objects ](https://developers.cloudflare.com/durable-objects/)[ Workers ](https://developers.cloudflare.com/workers/)  
The new [@cloudflare/actors ↗](https://www.npmjs.com/package/@cloudflare/actors) library is now in beta!  
The `@cloudflare/actors` library is a new SDK for Durable Objects and provides a powerful set of abstractions for building real-time, interactive, and multiplayer applications on top of Durable Objects. With beta usage and feedback, `@cloudflare/actors` will become the recommended way to build on Durable Objects and draws upon Cloudflare's experience building products/features on Durable Objects.  
The name "actors" originates from the [actor programming model](https://developers.cloudflare.com/durable-objects/concepts/what-are-durable-objects/#actor-programming-model), which closely ties to how Durable Objects are modelled.  
The `@cloudflare/actors` library includes:

  * Storage helpers for querying embeddeded, per-object SQLite storage
  * Storage helpers for managing SQL schema migrations
  * Alarm helpers for scheduling multiple alarms provided a date, delay in seconds, or cron expression
  * `Actor` class for using Durable Objects with a defined pattern
  * Durable Objects [Workers API ↗](https://developers.cloudflare.com/durable-objects/api/base/) is always available for your application as needed  
Storage and alarm helper methods can be combined with [any Javascript class ↗](https://github.com/cloudflare/actors?tab=readme-ov-file#storage--alarms-with-durableobject-class) that defines your Durable Object, i.e, ones that extend `DurableObject` including the `Actor` class.  
JavaScript  
```  
import { Storage } from "@cloudflare/actors/storage";  
export class ChatRoom extends DurableObject<Env> {    storage: Storage;  
    constructor(ctx: DurableObjectState, env: Env) {        super(ctx, env)        this.storage = new Storage(ctx.storage);        this.storage.migrations = [{            idMonotonicInc: 1,            description: "Create users table",            sql: "CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY)"        }]    }    async fetch(request: Request): Promise<Response> {        // Run migrations before executing SQL query        await this.storage.runMigrations();  
        // Query with SQL template        let userId = new URL(request.url).searchParams.get("userId");        const query = this.storage.sql`SELECT * FROM users WHERE id = ${userId};`        return new Response(`${JSON.stringify(query)}`);    }}  
```  
`@cloudflare/actors` library introduces the `Actor` class pattern. `Actor` lets you access Durable Objects without writing the Worker that communicates with your Durable Object (the Worker is created for you). By default, requests are routed to a Durable Object named "default".  
JavaScript  
```  
export class MyActor extends Actor<Env> {    async fetch(request: Request): Promise<Response> {        return new Response('Hello, World!')    }}  
export default handler(MyActor);  
```  
You can [route](https://developers.cloudflare.com/durable-objects/get-started/#3-instantiate-and-communicate-with-a-durable-object) to different Durable Objects by name within your `Actor` class using [nameFromRequest ↗](https://github.com/cloudflare/actors?tab=readme-ov-file#actor-with-custom-name).  
JavaScript  
```  
export class MyActor extends Actor<Env> {    static nameFromRequest(request: Request): string {        let url = new URL(request.url);        return url.searchParams.get("userId") ?? "foo";    }  
    async fetch(request: Request): Promise<Response> {        return new Response(`Actor identifier (Durable Object name): ${this.identifier}`);    }}  
export default handler(MyActor);  
```  
For more examples, check out the library [README ↗](https://github.com/cloudflare/actors?tab=readme-ov-file#getting-started). `@cloudflare/actors` library is a place for more helpers and built-in patterns, like retry handling and Websocket-based applications, to reduce development overhead for common Durable Objects functionality. Please share feedback and what more you would like to see on our [Discord channel ↗](https://discord.com/channels/595317990191398933/773219443911819284).

Jun 23, 2025
1. ### [Data Security Analytics in the Zero Trust dashboard](https://developers.cloudflare.com/changelog/post/cf1-data-security-analytics-v1/)  
[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)[ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data.  
The new dashboard includes:

  * **Sensitive Data Movement Over Time:**

    * See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths.
  * **Sensitive Data at Rest in SaaS & Cloud:**

    * View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3).
  * **DLP Policy Activity:**

    * Identify which of your Data Loss Prevention (DLP) policies are being triggered most often.
    * See which specific users are responsible for triggering DLP policies.  
![Data Security Analytics](https://developers.cloudflare.com/_astro/cf1-data-security-analytics-v1.BGl6fYXl_H3N0P.webp)  
To access the new dashboard, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** on the sidebar.

Jun 23, 2025
1. ### [Cloudflare User Groups & SCIM User Groups are now in GA](https://developers.cloudflare.com/changelog/post/2025-06-23-user-groups-ga/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
We're announcing the GA of **User Groups for Cloudflare Dashboard** and **System for Cross Domain Identity Management (SCIM) User Groups**, strengthening our RBAC capabilities with stable, production-ready primitives for managing access at scale.

**What's New**

**User Groups \[GA\]**: [User Groups](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/) are a new Cloudflare IAM primitive that enable administrators to create collections of account members that are treated equally from an access control perspective. User Groups can be assigned permission policies, with individual members in the group inheriting all permissions granted to the User Group. User Groups can be created manually or via our APIs.

**SCIM User Groups \[GA\]**: Centralize & simplify your user and group management at scale by syncing memberships directly from your upstream identity provider (like Okta or Entra ID) to the Cloudflare Platform. This ensures Cloudflare stays in sync with your identity provider, letting you apply Permission Policies to those synced groups directly within the Cloudflare Dashboard.

**Stability & Scale**: These features have undergone extensive testing during the Public Beta period and are now ready for production use across enterprises of all sizes.  
Note  
SCIM Virtual Groups (identified by the pattern `CF-<accountID>-<Role Name>` in your IdP) are now officially deprecated as of June 2, 2025\. SCIM Virtual Groups end-of-life will take effect on December 2, 2025\. We strongly recommend migrating to SCIM User Groups to ensure continued support for SCIM synchronization to the Cloudflare Dashboard. If you haven’t used Virtual Groups, no action is required.  
For more info:

  * [Get started with User Groups](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/)
  * [Explore our SCIM integration guide](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/)

Jun 20, 2025
1. ### [CNI maintenance alerts](https://developers.cloudflare.com/changelog/post/2025-06-20-cni-maintenance-alerts/)  
[ Network Interconnect ](https://developers.cloudflare.com/network-interconnect/)  
Customers using Cloudflare Network Interconnect with the v1 dataplane can now subscribe to maintenance alert emails. These alerts notify you of planned maintenance windows that may affect your CNI circuits.  
For more information, refer to [Monitoring and alerts](https://developers.cloudflare.com/network-interconnect/monitoring-and-alerts/).

Jun 20, 2025
1. ### [Increased blob size limits in Workers Analytics Engine](https://developers.cloudflare.com/changelog/post/2025-06-20-increased-blob-size-limits-in-workers-analytics/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
We’ve increased the total allowed size of [blob](https://developers.cloudflare.com/analytics/analytics-engine/get-started/#2-write-data-points-from-your-worker) fields on data points written to [Workers Analytics Engine](https://developers.cloudflare.com/analytics/analytics-engine/) from **5 KB to 16 KB**.  
This change gives you more flexibility when logging rich observability data — such as base64-encoded payloads, AI inference traces, or custom metadata — without hitting request size limits.  
You can find full details on limits for queries, filters, payloads, and more [here in the Workers Analytics Engine limits documentation](https://developers.cloudflare.com/analytics/analytics-engine/limits/).

  * [  JavaScript ](#tab-panel-4875)
  * [  TypeScript ](#tab-panel-4876)  
JavaScript  
```  
export default {  async fetch(request, env) {    env.analyticsDataset.writeDataPoint({      // The sum of all of the blob's sizes can now be 16 KB      blobs: [        // The URL of the request to the Worker        request.url,        // Some metadata about your application you'd like to store        JSON.stringify(metadata),        // The version of your Worker this datapoint was collected from        env.versionMetadata.tag,      ],      indexes: ["sample-index"],    });  },};  
```  
TypeScript  
```  
export default {  async fetch(request, env) {    env.analyticsDataset.writeDataPoint({      // The sum of all of the blob's sizes can now be 16 KB      blobs: [        // The URL of the request to the Worker        request.url,        // Some metadata about your application you'd like to store        JSON.stringify(metadata),        // The version of your Worker this datapoint was collected from        env.versionMetadata.tag,      ],      indexes: ["sample-index"],    });  }};  
```

Jun 19, 2025
1. ### [View custom metadata in responses and guide AI-search with context in AutoRAG](https://developers.cloudflare.com/changelog/post/2025-06-19-autorag-custom-metadata-and-context/)  
[ AI Search ](https://developers.cloudflare.com/ai-search/)  
In [AutoRAG](https://developers.cloudflare.com/ai-search/), you can now view your object's custom metadata in the response from [/search](https://developers.cloudflare.com/ai-search/api/search/workers-binding/) and [/ai-search](https://developers.cloudflare.com/ai-search/api/search/workers-binding/), and optionally add a `context` field in the custom metadata of an object to provide additional guidance for AI-generated answers.  
You can add [custom metadata](https://developers.cloudflare.com/r2/api/workers/workers-api-reference/#r2putoptions) to an object when uploading it to your R2 bucket.  
#### Object's custom metadata in search responses  
When you run a search, AutoRAG now returns any custom metadata associated with the object. This metadata appears in the response inside `attributes` then `file` , and can be used for downstream processing.  
For example, the `attributes` section of your search response may look like:  
```  
{  "attributes": {    "timestamp": 1750001460000,    "folder": "docs/",    "filename": "launch-checklist.md",    "file": {      "url": "https://wiki.company.com/docs/launch-checklist",      "context": "A checklist for internal launch readiness, including legal, engineering, and marketing steps."    }  }}  
```  
#### Add a `context` field to guide LLM answers  
When you include a custom metadata field named `context`, AutoRAG attaches that value to each chunk of the file. When you run an `/ai-search` query, this `context` is passed to the LLM and can be used as additional input when generating an answer.  
We recommend using the `context` field to describe supplemental information you want the LLM to consider, such as a summary of the document or a source URL. If you have several different metadata attributes, you can join them together however you choose within the `context` string.  
For example:  
```  
{  "context": "summary: 'Checklist for internal product launch readiness, including legal, engineering, and marketing steps.'; url: 'https://wiki.company.com/docs/launch-checklist'"}  
```  
This gives you more control over how your content is interpreted, without requiring you to modify the original contents of the file.  
Learn more in AutoRAG's [metadata filtering documentation](https://developers.cloudflare.com/ai-search/configuration/indexing/metadata/).

Jun 19, 2025
1. ### [Filter your AutoRAG search by file name](https://developers.cloudflare.com/changelog/post/2025-06-19-autorag-filename-filter/)  
[ AI Search ](https://developers.cloudflare.com/ai-search/)  
In [AutoRAG](https://developers.cloudflare.com/ai-search/), you can now [filter](https://developers.cloudflare.com/ai-search/configuration/indexing/metadata/) by an object's file name using the `filename` attribute, giving you more control over which files are searched for a given query.  
This is useful when your application has already determined which files should be searched. For example, you might query a PostgreSQL database to get a list of files a user has access to based on their permissions, and then use that list to limit what AutoRAG retrieves.  
For example, your search query may look like:  
JavaScript  
```  
const response = await env.AI.autorag("my-autorag").search({  query: "what is the project deadline?",  filters: {    type: "eq",    key: "filename",    value: "project-alpha-roadmap.md",  },});  
```  
This allows you to connect your application logic with AutoRAG's retrieval process, making it easy to control what gets searched without needing to reindex or modify your data.  
Learn more in AutoRAG's [metadata filtering documentation](https://developers.cloudflare.com/ai-search/configuration/indexing/metadata/).

Jun 19, 2025
1. ### [Account-level DNS analytics now available via GraphQL Analytics API](https://developers.cloudflare.com/changelog/post/2025-06-23-account-level-dns-analytics-api/)  
[ DNS ](https://developers.cloudflare.com/dns/)  
Authoritative DNS analytics are now available on the **account level** via the [Cloudflare GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/).  
This allows users to query DNS analytics across multiple zones in their account, by using the `accounts` filter.  
Here is an example to retrieve the most recent DNS queries across all zones in your account that resulted in an `NXDOMAIN` response over a given time frame. Please replace `a30f822fcd7c401984bf85d8f2a5111c` with your actual account ID.  
GraphQL example for account-level DNS analytics  
```  
query GetLatestNXDOMAINResponses {  viewer {    accounts(filter: { accountTag: "a30f822fcd7c401984bf85d8f2a5111c" }) {      dnsAnalyticsAdaptive(        filter: {          date_geq: "2025-06-16"          date_leq: "2025-06-18"          responseCode: "NXDOMAIN"        }        limit: 10000        orderBy: [datetime_DESC]      ) {        zoneTag        queryName        responseCode        queryType        datetime      }    }  }}  
```  
[Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBA4mALgGQIaLAZ0QOQBoAiA8gLICCAkjgEpYAOA9gHaZYwDeAUDDAG4CWYAO6QO3HjFQBjKQxBNEmABQAzfgBsMEAFwdJMuQoAqqAOa6ARKgDMABhUAOAExOVUgCYB2KQBZbARgBOBx8AI0cAVncHFSdUCP9EqQsYAF8ASjEJCXcWMiZUdShEfilMMndUOhLeMCVxbJ41TUhdLkbGyowAfVMwYEsnWycIgFpbADZR-wmLBo6YLrBu9X7B4bHJ6Yc5hYkIemZWAGEGdzBLfGJyKl2F1Pns9X4AW35EXX9bb9tHiQYIOcIAAhKC6ADaSxKL2WBAAogBlY4AXT+mXaCwAXswwCZTH8eKBIFAcKgYQSYAdMIwWGBTucKUToEYoHQwBSoa92R0HtleWlOKkgA&variables=N4XyA)  
To learn more and get started, refer to the [DNS Analytics documentation](https://developers.cloudflare.com/dns/additional-options/analytics/#analytics).

Jun 19, 2025
1. ### [Automate Worker deployments with a simplified SDK and more reliable Terraform provider](https://developers.cloudflare.com/changelog/post/2025-06-17-workers-terraform-sdk-api-fixes/)  
[ D1 ](https://developers.cloudflare.com/d1/)[ Workers ](https://developers.cloudflare.com/workers/)[ Workers for Platforms ](https://developers.cloudflare.com/cloudflare-for-platforms/workers-for-platforms/)  
#### Simplified Worker Deployments with our SDKs  
We've simplified the programmatic deployment of Workers via our [Cloudflare SDKs](https://developers.cloudflare.com/fundamentals/api/reference/sdks/). This update abstracts away the low-level complexities of the `multipart/form-data` upload process, allowing you to focus on your code while we handle the deployment mechanics.  
This new interface is available in:

  * [cloudflare-typescript ↗](https://github.com/cloudflare/cloudflare-typescript) (4.4.1)
  * [cloudflare-python ↗](https://github.com/cloudflare/cloudflare-python) (4.3.1)  
For complete examples, see our guide on [programmatic Worker deployments](https://developers.cloudflare.com/workers/platform/infrastructure-as-code).  
#### The Old way: Manual API calls  
Previously, deploying a Worker programmatically required manually constructing a `multipart/form-data` HTTP request, packaging your code and a separate `metadata.json` file. This was more complicated and verbose, and prone to formatting errors.  
For example, here's how you would upload a Worker script previously with cURL:  
Terminal window  
```  
curl https://api.cloudflare.com/client/v4/accounts/<account_id>/workers/scripts/my-hello-world-script \  -X PUT \  -H 'Authorization: Bearer <api_token>' \  -F 'metadata={        "main_module": "my-hello-world-script.mjs",        "bindings": [          {            "type": "plain_text",            "name": "MESSAGE",            "text": "Hello World!"          }        ],        "compatibility_date": "$today"      };type=application/json' \  -F 'my-hello-world-script.mjs=@-;filename=my-hello-world-script.mjs;type=application/javascript+module' <<EOFexport default {  async fetch(request, env, ctx) {    return new Response(env.MESSAGE, { status: 200 });  }};EOF  
```  
#### After: SDK interface  
With the new SDK interface, you can now define your entire Worker configuration using a single, structured object.  
This approach allows you to specify metadata like `main_module`, `bindings`, and `compatibility_date` as clearer properties directly alongside your script content. Our SDK takes this logical object and automatically constructs the complex multipart/form-data API request behind the scenes.  
Here's how you can now programmatically deploy a Worker via the [cloudflare-typescript SDK ↗](https://github.com/cloudflare/cloudflare-typescript)

  * [  JavaScript ](#tab-panel-4877)
  * [  TypeScript ](#tab-panel-4878)  
JavaScript  
```  
import Cloudflare from "cloudflare";import { toFile } from "cloudflare/index";  
// ... client setup, script content, etc.  
const script = await client.workers.scripts.update(scriptName, {  account_id: accountID,  metadata: {    main_module: scriptFileName,    bindings: [],  },  files: {    [scriptFileName]: await toFile(Buffer.from(scriptContent), scriptFileName, {      type: "application/javascript+module",    }),  },});  
```  
TypeScript  
```  
import Cloudflare from 'cloudflare';import { toFile } from 'cloudflare/index';  
// ... client setup, script content, etc.  
const script = await client.workers.scripts.update(scriptName, {  account_id: accountID,  metadata: {    main_module: scriptFileName,    bindings: [],  },  files: {    [scriptFileName]: await toFile(Buffer.from(scriptContent), scriptFileName, {      type: 'application/javascript+module',    }),  },});  
```  
View the complete example here: [https://github.com/cloudflare/cloudflare-typescript/blob/main/examples/workers/script-upload.ts ↗](https://github.com/cloudflare/cloudflare-typescript/blob/main/examples/workers/script-upload.ts)  
#### Terraform provider improvements  
We've also made several fixes and enhancements to the [Cloudflare Terraform provider ↗](https://github.com/cloudflare/terraform-provider-cloudflare):

  * Fixed the [cloudflare\_workers\_script ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workers%5Fscript) resource in Terraform, which previously was producing a diff even when there were no changes. Now, your `terraform plan` outputs will be cleaner and more reliable.
  * Fixed the [cloudflare\_workers\_for\_platforms\_dispatch\_namespace ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workers%5Ffor%5Fplatforms%5Fdispatch%5Fnamespace), where the provider would attempt to recreate the namespace on a `terraform apply`. The resource now correctly reads its remote state, ensuring stability for production environments and CI/CD workflows.
  * The [cloudflare\_workers\_route ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workers%5Froute) resource now allows for the `script` property to be empty, null, or omitted to indicate that pattern should be negated for all scripts (see routes [docs](https://developers.cloudflare.com/workers/configuration/routing/routes)). You can now reserve a pattern or temporarily disable a Worker on a route without deleting the route definition itself.
  * Using `primary_location_hint` in the [cloudflare\_d1\_database ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/d1%5Fdatabase) resource will no longer always try to recreate. You can now safely change the location hint for a D1 database without causing a destructive operation.  
#### API improvements  
We've also properly documented the [Workers Script And Version Settings](https://developers.cloudflare.com/api/resources/workers/subresources/scripts/subresources/script%5Fand%5Fversion%5Fsettings) in our public OpenAPI spec and SDKs.

Jun 18, 2025
1. ### [Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025](https://developers.cloudflare.com/changelog/post/2025-06-17-new-order-of-enforcement/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
[Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.  
This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.  
#### Updated order of enforcement

**Previous order:**

  1. DNS policies
  2. HTTP policies
  3. Network policies

**New order:**

  1. DNS policies
  2. **Network policies**
  3. **HTTP policies**  
#### Action required: Review your Gateway HTTP policies  
This change may affect block notifications. For example:

  * You have an **HTTP policy** to block `example.com` and display a block page.
  * You also have a **Network policy** to block `example.com` silently (no client notification).  
With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page.  
To ensure users still receive a block notification, you can:

  * Add a client notification to your Network policy, or
  * Use only the HTTP policy for that domain.

---  
#### Why we’re making this change  
This update is based on user feedback and aims to:

  * Create a more intuitive model by evaluating network-level policies before application-level policies.
  * Minimize [526 connection errors](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection.

---  
To learn more, visit the [Gateway order of enforcement documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/).

Jun 18, 2025
1. ### [Log Explorer is GA](https://developers.cloudflare.com/changelog/post/2025-06-18-log-explorer-ga/)  
[ Log Explorer ](https://developers.cloudflare.com/log-explorer/)  
[Log Explorer](https://developers.cloudflare.com/log-explorer/) is now GA, providing native observability and forensics for traffic flowing through Cloudflare.  
Search and analyze your logs, natively in the Cloudflare dashboard. These logs are also stored in Cloudflare's network, eliminating many of the costs associated with other log providers.  
![Log Explorer dashboard](https://developers.cloudflare.com/_astro/log-explorer-dash.CJSVLZ7Y_ZXS1TD.webp)  
With Log Explorer, you can now:

  * **Monitor security and performance issues with custom dashboards** – use natural language to define charts for measuring response time, error rates, top statistics and more.
  * **Investigate and troubleshoot issues with Log Search** – use data type-aware search filters or custom sql to investigate detailed logs.
  * **Save time and collaborate with saved queries** – save Log Search queries for repeated use or sharing with other users in your account.
  * **Access Log Explorer at the account and zone level** – easily find Log Explorer at the account and zone level for querying any dataset.  
For help getting started, refer to [our documentation](https://developers.cloudflare.com/log-explorer/).

Jun 18, 2025
1. ### [Remote bindings public beta - Connect to remote resources (D1, KV, R2, etc.) during local development](https://developers.cloudflare.com/changelog/post/2025-06-18-remote-bindings-beta/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
Today [we announced the public beta ↗](https://github.com/cloudflare/workers-sdk/discussions/9660) of [remote bindings](https://developers.cloudflare.com/workers/local-development/#remote-bindings) for local development. With remote bindings, you can now connect to deployed resources like [R2 buckets](https://developers.cloudflare.com/r2/) and [D1 databases](https://developers.cloudflare.com/d1/) while running Worker code on your local machine. This means you can test your local code changes against real data and services, without the overhead of deploying for each iteration.  
#### Example configuration  
To enable remote mode, add `"experimental_remote" : true` to each binding that you want to rely on a remote resource running on Cloudflare:

  * [  wrangler.jsonc ](#tab-panel-4871)
  * [  wrangler.toml ](#tab-panel-4872)  
JSONC  
```  
{  "name": "my-worker",  // Set this to today's date  "compatibility_date": "2026-07-01",  
  "r2_buckets": [    {      "bucket_name": "screenshots-bucket",      "binding": "screenshots_bucket",      "experimental_remote": true,    },  ],}  
```  
TOML  
```  
name = "my-worker"# Set this to today's datecompatibility_date = "2026-07-01"  
[[r2_buckets]]bucket_name = "screenshots-bucket"binding = "screenshots_bucket"experimental_remote = true  
```  
When remote bindings are configured, your Worker **still executes locally**, but all binding calls are proxied to the deployed resource that runs on Cloudflare's network.

**You can try out remote bindings for local development today with:**

  * [Wrangler v4.20.3](https://developers.cloudflare.com/workers/local-development/#remote-bindings): Use the `wrangler dev --x-remote-bindings` command.
  * The [Cloudflare Vite Plugin](https://developers.cloudflare.com/workers/local-development/#remote-bindings): Refer to the documentation for how to enable in your Vite config.
  * The [Cloudflare Vitest Plugin](https://developers.cloudflare.com/workers/local-development/#remote-bindings): Refer to the documentation for how to enable in your Vitest config.

**Have feedback?**Join the discussion in our [beta announcement ↗](https://github.com/cloudflare/workers-sdk/discussions/9660) to share feedback or report any issues.

Jun 17, 2025
1. ### [Terraform v5.6.0 now available](https://developers.cloudflare.com/changelog/post/2025-06-17-terraform-v560-provider/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/)  
Earlier this year, we announced the launch of the new [Terraform v5 Provider](https://developers.cloudflare.com/changelog/2025-02-03-terraform-v5-provider/). Unlike the earlier Terraform providers, v5 is automatically generated based on the OpenAPI Schemas for our REST APIs. Since launch, we have seen an unexpectedly high number of [issues ↗](https://github.com/cloudflare/terraform-provider-cloudflare)reported by customers. These issues currently impact about 15% of resources. We have been working diligently to address these issues across the company, and have released the v5.6.0 release which includes a number of bug fixes. Please keep an eye on this changelog for more information about upcoming releases.  
#### Changes

  * Broad fixes across resources with recurring diffs, including, but not limited to:  
    * `cloudflare_zero_trust_access_identity_provider`  
      * `cloudflare_zone`
  * `cloudflare_page_rules` runtime panic when setting `cache_level` to `cache_ttl_by_status`
  * Failure to serialize requests in `cloudflare_zero_trust_tunnel_cloudflared_config`
  * Undocumented field 'priority' on `zone_lockdown` resource
  * Missing importability for `cloudflare_zero_trust_device_default_profile_local_domain_fallback` and `cloudflare_account_subscription`
  * New resources:  
    * `cloudflare_schema_validation_operation_settings`
    * `cloudflare_schema_validation_schemas`
    * `cloudflare_schema_validation_settings`
    * `cloudflare_zero_trust_device_settings`
  * Other bug fixes  
For a more detailed look at all of the changes, see the [changelog ↗](https://github.com/cloudflare/terraform-provider-cloudflare/releases/tag/v5.6.0) in GitHub.  
#### Issues Closed

  * [#5098: 500 Server Error on updating 'zero\_trust\_tunnel\_cloudflared\_virtual\_network' Terraform resource ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5098)
  * [#5148: cloudflare\_user\_agent\_blocking\_rule doesn’t actually support user agents ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5148)
  * [#5472: cloudflare\_zone showing changes in plan after following upgrade steps ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5472)
  * [#5508: cloudflare\_zero\_trust\_tunnel\_cloudflared\_config failed to serialize http request ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5508)
  * [#5509: cloudflare\_zone: Problematic Terraform behaviour with paused zones ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5509)
  * [#5520: Resource 'cloudflare\_magic\_wan\_static\_route' is not working ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5520)
  * [#5524: Optional fields cause crash in cloudflare\_zero\_trust\_tunnel\_cloudflared(s) when left null ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5524)
  * [#5526: Provider v5 migration issue: no import method for cloudflare\_zero\_trust\_device\_default\_profile\_local\_domain\_fallback ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5526)
  * [#5532: cloudflare\_zero\_trust\_access\_identity\_provider detects changes on every plan ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5532)
  * [#5561: cloudflare\_zero\_trust\_tunnel\_cloudflared: cannot rotate tunnel secret ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5561)
  * [#5569: cloudflare\_zero\_trust\_device\_custom\_profile\_local\_domain\_fallback not allowing multiple DNS Server entries ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5569)
  * [#5577: Panic modifying page\_rule resource ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5577)
  * [#5653: cloudflare\_zone\_setting resource schema confusion in 5.5.0: value vs enabled ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5653)  
If you have an unaddressed issue with the provider, we encourage you to check the [open issues ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues) and open a new one if one does not already exist for what you are experiencing.  
#### Upgrading  
If you are evaluating a move from v4 to v5, please make use of the [migration guide ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). We have provided automated migration scripts using Grit which simplify the transition, although these do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of `terraform plan` to test your changes before applying, and let us know if you encounter any additional issues by reporting to our [GitHub repository ↗](https://github.com/cloudflare/terraform-provider-cloudflare).  
#### For more info

  * [Terraform provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs)
  * [Documentation on using Terraform with Cloudflare](https://developers.cloudflare.com/terraform/)

Jun 17, 2025
1. ### [Control which routes invoke your Worker script for Single Page Applications](https://developers.cloudflare.com/changelog/post/2025-06-17-advanced-routing/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
For those building [Single Page Applications (SPAs) on Workers](https://developers.cloudflare.com/workers/static-assets/routing/single-page-application/#advanced-routing-control), you can now explicitly define which routes invoke your Worker script in Wrangler configuration. The [run\_worker\_first config option](https://developers.cloudflare.com/workers/static-assets/binding/#run%5Fworker%5Ffirst) has now been expanded to accept an array of route patterns, allowing you to more granularly specify when your Worker script runs.

**Configuration example:**

  * [  wrangler.jsonc ](#tab-panel-4873)
  * [  wrangler.toml ](#tab-panel-4874)  
JSONC  
```  
{  "name": "my-spa-worker",  // Set this to today's date  "compatibility_date": "2026-07-01",  "main": "./src/index.ts",  "assets": {    "directory": "./dist/",    "not_found_handling": "single-page-application",    "binding": "ASSETS",    "run_worker_first": ["/api/*", "!/api/docs/*"]  }}  
```  
TOML  
```  
name = "my-spa-worker"# Set this to today's datecompatibility_date = "2026-07-01"main = "./src/index.ts"  
[assets]directory = "./dist/"not_found_handling = "single-page-application"binding = "ASSETS"run_worker_first = [ "/api/*", "!/api/docs/*" ]  
```  
This new routing control was done in partnership with our community and customers who provided great feedback on [our public proposal ↗](https://github.com/cloudflare/workers-sdk/discussions/9143). Thank you to everyone who brought forward use-cases and feedback on the design!  
#### Prerequisites  
To use advanced routing control with `run_worker_first`, you'll need:

  * [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) v4.20.0 and above
  * [Cloudflare Vite plugin](https://developers.cloudflare.com/workers/vite-plugin/get-started/) v1.7.0 and above

Jun 17, 2025
1. ### [SSRF vulnerability in @opennextjs/cloudflare proactively mitigated for all Cloudflare customers](https://developers.cloudflare.com/changelog/post/2025-06-17-open-next-ssrf/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
Mitigations have been put in place for all existing and future deployments of sites with the Cloudflare adapter for Open Next in response to an identified Server-Side Request Forgery (SSRF) vulnerability in the `@opennextjs/cloudflare` package.  
The vulnerability stemmed from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed users to proxy arbitrary remote content via the `/_next/image` endpoint.  
This issue allowed attackers to load remote resources from arbitrary hosts under the victim site's domain for any site deployed using the Cloudflare adapter for Open Next. For example: `https://victim-site.com/_next/image?url=https://attacker.com`. In this example, attacker-controlled content from `attacker.com` is served through the victim site's domain (`victim-site.com`), violating the same-origin policy and potentially misleading users or other services.  
References: [https://www.cve.org/cverecord?id=CVE-2025-6087 ↗](https://www.cve.org/cverecord?id=CVE-2025-6087), [https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m ↗](https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m)  
#### Impact

  * SSRF via unrestricted remote URL loading
  * Arbitrary remote content loading
  * Potential internal service exposure or phishing risks through domain abuse  
#### Mitigation  
The following mitigations have been put in place:

**Server side updates** to Cloudflare's platform to restrict the content loaded via the `/_next/image` endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next

**Root cause fix:** Pull request [#727 ↗](https://github.com/opennextjs/opennextjs-cloudflare/pull/727) to the Cloudflare adapter for Open Next. The patched version of the adapter has been released as `@opennextjs/cloudflare@1.3.0`

**Package dependency update:** Pull request [cloudflare/workers-sdk#9608 ↗](https://github.com/cloudflare/workers-sdk/pull/9608) to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare has been published as `create-cloudflare@2.49.3`.  
In addition to the automatic mitigation deployed on Cloudflare's platform, we encourage affected users to upgrade to `@opennext/cloudflare` v1.3.0 and use the [remotePatterns ↗](https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns) filter in Next config if they need to allow-list external urls with images assets.

Jun 16, 2025
1. ### [Internal DNS (beta) now manageable in the Cloudflare dashboard](https://developers.cloudflare.com/changelog/post/2025-06-16-internal-dns-beta-ui/)  
[ DNS ](https://developers.cloudflare.com/dns/)  
Participating beta testers can now fully configure [Internal DNS](https://developers.cloudflare.com/dns/internal-dns/) directly in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/?to=/:account/internal-dns).  
#### Internal DNS enables customers to:

  * Map internal hostnames to private IPs for services, devices, and applications not exposed to the public Internet
  * Resolve internal DNS queries securely through [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)
  * Use split-horizon DNS to return different responses based on network context
  * Consolidate internal and public DNS zones within a single management platform  
#### What’s new in this release:

  * Beta participants can now create and manage internal zones and views in the Cloudflare dashboard  
![Internal DNS UI](https://developers.cloudflare.com/_astro/internal-dns-beta-ui.B5uCVZ9o_yVcqC.webp)  
Note  
The Internal DNS beta is currently only available to Enterprise customers.  
To learn more and get started, refer to the [Internal DNS documentation](https://developers.cloudflare.com/dns/internal-dns/).

Jun 16, 2025
1. ### [WAF Release - 2025-06-16](https://developers.cloudflare.com/changelog/post/2025-06-16-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s roundup highlights multiple critical vulnerabilities across popular web frameworks, plugins, and enterprise platforms. The focus lies on remote code execution (RCE), server-side request forgery (SSRF), and insecure file upload vectors that enable full system compromise or data exfiltration.

**Key Findings**

  * Cisco IOS XE (CVE-2025-20188): Critical RCE vulnerability enabling unauthenticated attackers to execute arbitrary commands on network infrastructure devices, risking total router compromise.
  * Axios (CVE-2024-39338): SSRF flaw impacting server-side request control, allowing attackers to manipulate internal service requests when misconfigured with unsanitized user input.
  * vBulletin (CVE-2025-48827, CVE-2025-48828): Two high-impact RCE flaws enabling attackers to remotely execute PHP code, compromising forum installations and underlying web servers.
  * Invision Community (CVE-2025-47916): A critical RCE vulnerability allowing authenticated attackers to run arbitrary code in community platforms, threatening data and lateral movement risk.
  * CrushFTP (CVE-2025-32102, CVE-2025-32103): SSRF vulnerabilities in upload endpoint processing permit attackers to pivot internal network scans and abuse internal services.
  * Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email — particularly dangerous for webmail deployments.
  * WooCommerce WordPress Plugin (CVE-2025-47577): Dangerous file upload vulnerability permits unauthenticated users to upload executable payloads, leading to full WordPress site takeover.
  * Cross-Site Scripting (XSS) Detection Improvements: Enhanced detection patterns.

**Impact**  
These vulnerabilities span core systems — from routers to e-commerce to email. RCE in Cisco IOS XE, Roundcube, and vBulletin poses full system compromise. SSRF in Axios and CrushFTP supports internal pivoting, while WooCommerce’s file upload bug opens doors to mass WordPress exploitation.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                                | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | -------------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...35fefd53 | 100783         | Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...8332af5d | 100784         | Axios - SSRF - CVE:CVE-2024-39338                                          | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...2e1648d2 | 100785         | vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828 | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...0edcf1ef | 100786         | Invision Community - Remote Code Execution - CVE:CVE-2025-47916            | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...d6f5eb48 | 100791         | CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103                   | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...30baa18a | 100792         | Roundcube - Remote Code Execution - CVE:CVE-2025-49113                     | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...229ba236 | 100793         | XSS - Ontoggle                                                             | Log             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...fa338296 | 100794         | WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577  | Log             | Block      | This is a New Detection |

Jun 16, 2025
1. ### [Grant account members read-only access to the Workers Platform](https://developers.cloudflare.com/changelog/post/2025-06-16-workers-platform-admin-role/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now grant members of your Cloudflare account read-only access to the Workers Platform.  
The new "Workers Platform (Read-only)" role grants read-only access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](https://developers.cloudflare.com/workers/), [Pages](https://developers.cloudflare.com/pages/), [Durable Objects](https://developers.cloudflare.com/durable-objects/), [KV](https://developers.cloudflare.com/kv/), [R2](https://developers.cloudflare.com/r2/), Zones, [Zone Analytics](https://developers.cloudflare.com/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](https://developers.cloudflare.com/rules/). When Cloudflare introduces new products to the Workers platform, we will add additional read-only permissions to this role.  
Additionally, the role previously named "Workers Admin" has been renamed to "Workers Platform Admin". This change ensures that the name more accurately reflects the permissions granted — this role has always granted access to more than just Workers — it grants read and write access to the products mentioned above, and similarly, as new products are added to the Workers platform, we will add additional read and write permissions to this role.  
You can review the updated roles in the [developer docs](https://developers.cloudflare.com/fundamentals/manage-members/roles/).

Jun 11, 2025
1. ### [NSEC3 support for DNSSEC](https://developers.cloudflare.com/changelog/post/2025-06-11-nsec3-support/)  
[ DNS ](https://developers.cloudflare.com/dns/)  
Enterprise customers can now select NSEC3 as method for proof of non-existence on their zones.  
What's new:

  * **NSEC3 support for live-signed zones** – For both primary and secondary zones that are configured to be live-signed (also known as "on-the-fly signing"), NSEC3 can now be selected as proof of non-existence.
  * **NSEC3 support for pre-signed zones** – Secondary zones that are transferred to Cloudflare in a [pre-signed setup](https://developers.cloudflare.com/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/#set-up-pre-signed-dnssec) now also support NSEC3 as proof of non-existence.  
For more information and how to enable NSEC3, refer to the [NSEC3 documentation](https://developers.cloudflare.com/dns/dnssec/enable-nsec3/).

Jun 10, 2025
1. ### [Increased limits for Media Transformations](https://developers.cloudflare.com/changelog/post/2025-06-10-media-transformations-limits-increase/)  
[ Stream ](https://developers.cloudflare.com/stream/)  
We have increased the limits for [Media Transformations](https://developers.cloudflare.com/stream/transform-videos/):

  * Input file size limit is now 100MB (was 40MB)
  * Output video duration limit is now 1 minute (was 30 seconds)  
Additionally, we have improved caching of the input asset, resulting in fewer requests to origin storage even when transformation options may differ.  
For more information, learn about [Transforming Videos](https://developers.cloudflare.com/stream/transform-videos/).

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/31/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/31/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
