---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Jun 10, 2025
1. ### [Access git commit sha and branch name as environment variables in Workers Builds](https://developers.cloudflare.com/changelog/post/2025-06-10-default-env-vars/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
[Workers Builds](https://developers.cloudflare.com/workers/ci-cd/builds/) connects your Worker to a [Git repository](https://developers.cloudflare.com/workers/ci-cd/builds/git-integration/), and automates building and deploying your code on each pushed change.  
To make CI/CD pipelines even more flexible, Workers Builds now automatically injects [default environment variables](https://developers.cloudflare.com/workers/ci-cd/builds/configuration/#environment-variables) into your build process (much like the defaults in [Cloudflare Pages projects](https://developers.cloudflare.com/pages/configuration/build-configuration/#environment-variables)). You can use these variables to customize your build process based on the deployment context, such as the branch or commit.  
The following environment variables are injected by default:

| Environment Variable     | Injected value                | Example use-case                                                                      |
| ------------------------ | ----------------------------- | ------------------------------------------------------------------------------------- |
| CI                       | true                          | Changing build behavior when run on CI versus locally                                 |
| WORKERS\_CI              | 1                             | Changing build behavior when run on Workers Builds versus locally                     |
| WORKERS\_CI\_BUILD\_UUID | <build-uuid-of-current-build> | Passing the Build UUID along to custom workflows                                      |
| WORKERS\_CI\_COMMIT\_SHA | <sha1-hash-of-current-commit> | Passing current commit ID to error reporting, for example, Sentry                     |
| WORKERS\_CI\_BRANCH      | <branch-name-from-push-event  | Customizing build based on branch, for example, disabling debug logging on production |  
You can override these default values and add your own custom environment variables by navigating to **your Worker** \> **Settings** \> **Environment variables**.  
Learn more in the [Build configuration documentation](https://developers.cloudflare.com/workers/ci-cd/builds/configuration/#environment-variables).

Jun 09, 2025
1. ### [More flexible fallback handling — Custom Errors now support fetching assets returned with 4xx or 5xx status codes](https://developers.cloudflare.com/changelog/post/2025-06-09-custom-errors-fetch-4xx-5xx-assets/)  
[ Rules ](https://developers.cloudflare.com/rules/)  
[Custom Errors](https://developers.cloudflare.com/rules/custom-errors/) can now fetch and store [assets](https://developers.cloudflare.com/rules/custom-errors/create-rules/#create-a-custom-error-asset-dashboard) and [error pages](https://developers.cloudflare.com/rules/custom-errors/#error-pages) from your origin even if they are served with a 4xx or 5xx HTTP status code — previously, only 200 OK responses were allowed.

**What’s new:**

  * You can now upload error pages and error assets that return error status codes (for example, 403, 500, 502, 503, 504) when fetched.
  * These assets are stored and minified at the edge, so they can be reused across multiple Custom Error rules without triggering requests to the origin.  
This is especially useful for retrieving error content or downtime banners from your backend when you can’t override the origin status code.  
Learn more in the [Custom Errors](https://developers.cloudflare.com/rules/custom-errors/) documentation.

Jun 09, 2025
1. ### [Match Workers subrequests by upstream zone — cf.worker.upstream\_zone now supported in Transform Rules](https://developers.cloudflare.com/changelog/post/2025-06-09-transform-rule-subrequest-matching/)  
[ Rules ](https://developers.cloudflare.com/rules/)  
You can now use the [cf.worker.upstream\_zone](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.worker.upstream%5Fzone/) field in [Transform Rules](https://developers.cloudflare.com/rules/transform/) to control rule execution based on whether a request originates from [Workers](https://developers.cloudflare.com/workers/), including subrequests issued by Workers in other zones.  
![Match Workers subrequests by upstream zone in Transform Rules](https://developers.cloudflare.com/_astro/transform-rule-subrequest-matching.BeUBEN67_wWefn.webp)  

**What's new:**

  * `cf.worker.upstream_zone` is now supported in Transform Rules expressions.
  * Skip or apply logic conditionally when handling [Workers subrequests](https://developers.cloudflare.com/workers/platform/limits/#subrequests).  
For example, to add a header when the subrequest comes from another zone:  
Text in **Expression Editor** (replace `myappexample.com` with your domain):  
```  
(cf.worker.upstream_zone != "" and cf.worker.upstream_zone != "myappexample.com")  
```  
Selected operation under **Modify request header**: _Set static_

**Header name**: `X-External-Workers-Subrequest`

**Value**: `1`  
This gives you more granular control in how you handle incoming requests for your zone.  
Learn more in the [Transform Rules](https://developers.cloudflare.com/rules/transform/) documentation and [Rules language fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/) reference.

Jun 09, 2025
1. ### [WAF Release - 2025-06-09](https://developers.cloudflare.com/changelog/post/2025-06-09-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s update spotlights four critical vulnerabilities across CMS platforms, VoIP systems, and enterprise applications. Several flaws enable remote code execution or privilege escalation, posing significant enterprise risks.

**Key Findings**

  * WordPress OttoKit Plugin (CVE-2025-27007): Privilege escalation flaw allows unauthenticated attackers to create or elevate user accounts, compromising WordPress administrative control.
  * SAP NetWeaver (CVE-2025-42999): Remote Code Execution vulnerability enables attackers to execute arbitrary code on SAP NetWeaver systems, threatening core ERP and business operations.
  * Fortinet FortiVoice (CVE-2025-32756): Buffer error vulnerability may lead to memory corruption and potential code execution, directly impacting enterprise VoIP infrastructure.
  * Camaleon CMS (CVE-2024-46986): Remote Code Execution vulnerability allows attackers to gain full control over Camaleon CMS installations, exposing hosted content and underlying servers.

**Impact**  
These vulnerabilities target widely deployed CMS, ERP, and VoIP systems. RCE flaws in SAP NetWeaver and Camaleon CMS allow full takeover of business-critical applications. Privilege escalation in OttoKit exposes WordPress environments to full administrative compromise. FortiVoice buffer handling issues risk destabilizing or fully compromising enterprise telephony systems.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                          | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | -------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...0debd86e | 100769         | WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007 | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...5f57b448 | 100770         | SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999           | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...4df8857a | 100779         | Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756              | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...3b840107 | 100780         | Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986            | Log             | Block      | This is a New Detection |

Jun 09, 2025
1. ### [Workers native integrations were removed from the Cloudflare dashboard](https://developers.cloudflare.com/changelog/post/2025-06-09-workers-integrations-changes/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
Workers native integrations were [originally launched in May 2023 ↗](https://blog.cloudflare.com/announcing-database-integrations/) to connect to popular database and observability providers with your Worker in just a few clicks. We are changing how developers connect Workers to these external services. The **Integrations** tab in the dashboard has been removed in favor of a more direct, command-line-based approach using [Wrangler secrets](https://developers.cloudflare.com/workers/wrangler/commands/general/#secret).  
#### What's changed

  * **Integrations tab removed**: The integrations setup flow is no longer available in the Workers dashboard.
  * **Manual secret configuration**: New connections should be configured by adding credentials as secrets to your Workers using `npx wrangler secret put` commands.  
#### Impact on existing integrations

**Existing integrations will continue to work without any changes required.** If you have integrations that were previously created through the dashboard, they will remain functional.  
#### Updating existing integrations  
If you'd like to modify your existing integration, you can update the secrets, environment variables, or [Tail Workers](https://developers.cloudflare.com/workers/observability/logs/tail-workers/) that were created from the original integration setup.

  * **Update secrets**: Use `npx wrangler secret put <SECRET_NAME>` to update credential values.
  * **Modify environment variables**: Update variables through the dashboard or Wrangler configuration.
  * **Dashboard management**: Access your Worker's settings in the [Cloudflare dashboard ↗](https://dash.cloudflare.com) to modify connections created by our removed native integrations feature.  
If you have previously set up an observability integration with [Sentry ↗](https://sentry.io), the following environment variables were set and are still modifiable:

  * `BLOCKED_HEADERS`: headers to exclude sending to Sentry
  * `EXCEPTION_SAMPLING_RATE`: number from 0 - 100, where 0 = no events go through to Sentry, and 100 = all events go through to Sentry
  * `STATUS_CODES_TO_SAMPLING_RATES`: a map of status codes -- like 400 or with wildcards like 4xx -- to sampling rates described above  
#### Setting up new database and observability connections  
For new connections, refer to our step-by-step guides on connecting to popular database and observability providers including: [Sentry](https://developers.cloudflare.com/workers/observability/third-party-integrations/sentry), [Turso](https://developers.cloudflare.com/workers/databases/third-party-integrations/turso/), [Neon](https://developers.cloudflare.com/workers/databases/third-party-integrations/neon/), [Supabase](https://developers.cloudflare.com/workers/databases/third-party-integrations/supabase/), [PlanetScale](https://developers.cloudflare.com/workers/databases/third-party-integrations/planetscale/), [Upstash](https://developers.cloudflare.com/workers/databases/third-party-integrations/upstash/), [Xata](https://developers.cloudflare.com/workers/databases/third-party-integrations/xata/).

Jun 05, 2025
1. ### [Performance and size optimization for the Cloudflare adapter for Open Next](https://developers.cloudflare.com/changelog/post/2025-06-05-open-next-size/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
With the release of the Cloudflare adapter for Open Next v1.0.0 in May 2025, we already had followups plans [to improve performance and size ↗](https://blog.cloudflare.com/deploying-nextjs-apps-to-cloudflare-workers-with-the-opennext-adapter/#1-0-and-the-road-ahead).  
`@opennextjs/cloudflare` v1.2 released on June 5, 2025 delivers on these enhancements. By removing `babel` from the app code and dropping a dependency on `@ampproject/toolbox-optimizer`, we were able to reduce generated bundle sizes. Additionally, by stopping preloading of all app routes, we were able to improve the cold start time.  
This means that users will now see a decrease from 14 to 8MiB (2.3 to 1.6MiB gzipped) in generated bundle size for a Next app created via create-next-app, and typically 100ms faster startup times for their medium-sized apps.  
Users only need to update to the latest version of `@opennextjs/cloudflare` to automatically benefit from these improvements.  
Note that we published [CVE-2005-6087 ↗](https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m) for a SSRF vulnerability in the `@opennextjs/cloudflare` package. The vulnerability has been fixed from `@opennextjs/cloudflare` v1.3.0 onwards. Please update to any version after this one.

Jun 05, 2025
1. ### [Cloudflare One Analytics Dashboards and Exportable Access Report](https://developers.cloudflare.com/changelog/post/dashboards-access-report/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
Cloudflare One now offers powerful new analytics dashboards to help customers easily discover available insights into their application access and network activity. These dashboards provide a centralized, intuitive view for understanding user behavior, application usage, and security posture.  
!\[Cloudflare One Analytics Dashboards\](\~/assets/images/changelog/cloudflare-one/Analytics Dashboards.png)  
Additionally, a new exportable access report is available, allowing customers to quickly view high-level metrics and trends in their application access. A **preview** of the report is shown below, with more to be found in the report:  
![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/access-report.C744W7JR_2uzMcN.webp)  
Both features are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control.

Jun 04, 2025
1. ### [New Account-Level Load Balancing UI and Private Load Balancers](https://developers.cloudflare.com/changelog/post/2025-06-04-account-load-balancing-ui/)  
[ Load Balancing ](https://developers.cloudflare.com/load-balancing/)  
We've made two large changes to load balancing:

  * Redesigned the user interface, now centralized at the **account level**.
  * Introduced [**Private Load Balancers**](https://developers.cloudflare.com/load-balancing/private-network/) to the UI, enabling you to manage traffic for all of your external and internal applications in a single spot.  
This update streamlines how you manage load balancers across multiple zones and extends robust traffic management to your private network infrastructure.  
![Load Balancing UI](https://developers.cloudflare.com/_astro/account-load-balancing-ui.CoCi7gPb_Z2rDoCY.webp)  

**Key Enhancements:**

  * **Account-Level UI Consolidation:**

    * **Unified Management:** Say goodbye to navigating individual zones for load balancing tasks. You can now view, configure, and monitor all your load balancers across every zone in your account from a single, intuitive interface at the account level.
    * **Improved Efficiency:** This centralized approach provides a more streamlined workflow, making it faster and easier to manage both your public-facing and internal traffic distribution.
  * **Private Network Load Balancing:**

    * **Secure Internal Application Access:** Create [**Private Load Balancers**](https://developers.cloudflare.com/load-balancing/private-network/) to distribute traffic to applications hosted within your private network, ensuring they are not exposed to the public Internet.
    * **WARP & Magic WAN Integration:** Effortlessly direct internal traffic from users connected via Cloudflare WARP or through your Magic WAN infrastructure to the appropriate internal endpoint pools.
    * **Enhanced Security for Internal Resources:** Combine reliable Load Balancing with Zero Trust access controls to ensure your internal services are both performant and only accessible by verified users.  
![Private Load Balancers](https://developers.cloudflare.com/_astro/private-load-balancer.yti20m_p_q5zIk.webp)

Jun 03, 2025
1. ### [AI Gateway adds OpenAI compatible endpoint](https://developers.cloudflare.com/changelog/post/2025-06-03-aig-openai-compatible-endpoint/)  
[ AI Gateway ](https://developers.cloudflare.com/ai-gateway/)  
Users can now use an [OpenAI Compatible endpoint](https://developers.cloudflare.com/ai-gateway/usage/chat-completion/) in AI Gateway to easily switch between providers, while keeping the exact same request and response formats. We're launching now with the chat completions endpoint, with the embeddings endpoint coming up next.  
To get started, use the OpenAI compatible chat completions endpoint URL with your own account id and gateway id and switch between providers by changing the `model` and `apiKey` parameters.  
OpenAI SDK Example  
```  
import OpenAI from "openai";const client = new OpenAI({  apiKey: "YOUR_PROVIDER_API_KEY", // Provider API key  baseURL:    "https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/compat",});  
const response = await client.chat.completions.create({  model: "google-ai-studio/gemini-2.0-flash",  messages: [{ role: "user", content: "What is Cloudflare?" }],});  
console.log(response.choices[0].message.content);  
```  
Additionally, the [OpenAI Compatible endpoint](https://developers.cloudflare.com/ai-gateway/usage/chat-completion/) can be combined with our [Universal Endpoint](https://developers.cloudflare.com/ai-gateway/usage/universal/) to add fallbacks across multiple providers. That means AI Gateway will return every response in the same standardized format, no extra parsing logic required!  
Learn more in the [OpenAI Compatibility](https://developers.cloudflare.com/ai-gateway/usage/chat-completion/) documentation.

Jun 03, 2025
1. ### [Improved onboarding for Shopify merchants](https://developers.cloudflare.com/changelog/post/2025-06-03-shopify-o2o-improvements/)  
[ DNS ](https://developers.cloudflare.com/dns/)  
Shopify merchants can now onboard to **O2O** automatically, without needing to contact support or community members.  
What's new:

  * **Automatic enablement** – O2O is available for all mutual Cloudflare and Shopify customers.
  * **Branded record display** – Merchants see a Shopify logo in DNS records, complete with helpful tooltips.  
  ![Shopify O2O logo](https://developers.cloudflare.com/_astro/shop-dns-icon-o2o.Ca5DAZHL_1weoif.webp)
  * **Checkout protection** – Workers and Snippets are blocked from running on the checkout path to reduce risk and improve security.  
For more information, refer to the [provider guide](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/shopify/).

Jun 03, 2025
1. ### [View an architecture diagram of your Worker directly in the Cloudflare dashboard](https://developers.cloudflare.com/changelog/post/2025-06-03-visualize-your-worker-architecture/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now visualize, explore and modify your Worker’s architecture directly in the Cloudflare dashboard, making it easier to understand how your application connects to Cloudflare resources like [D1 databases](https://developers.cloudflare.com/d1), [Durable Objects](https://developers.cloudflare.com/durable-objects), [KV namespaces](https://developers.cloudflare.com/kv), and [more](https://developers.cloudflare.com/workers/runtime-apis/bindings/).  
![Bindings canvas](https://developers.cloudflare.com/_astro/bindings-canvas.CszRUVlh_1ytnrB.webp)  
With this new view, you can easily:

  * Explore existing bindings in a visual, architecture-style diagram
  * Add and manage bindings directly from the same interface
  * Discover the full range of compute, storage, AI, and media resources you can attach to your Workers application.  
To get started, head to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/?to=/:account/workers-and-pages) and open the **Bindings** tab of any Workers application.

Jun 02, 2025
1. ### [Cloudflare User Groups & Enhanced Permission Policies are now in Beta](https://developers.cloudflare.com/changelog/post/2025-06-02-user-groups-beta/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
We're excited to announce the Public Beta launch of **User Groups for Cloudflare Dashboard** and **System for Cross Domain Identity Management (SCIM) User Groups**, expanding our RBAC capabilities to simplify user and group management at scale.  
We've also visually overhauled the **Permission Policies UI** to make defining permissions more intuitive.

**What's New**

**User Groups \[BETA\]**: [User Groups](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/) are a new Cloudflare IAM primitive that enable administrators to create collections of account members that are treated equally from an access control perspective. User Groups can be assigned permission policies, with individual members in the group inheriting all permissions granted to the User Group. User Groups can be created manually or via our APIs.

**SCIM User Groups \[BETA\]**: Centralize & simplify your user and group management at scale by syncing memberships directly from your upstream identity provider (like Okta or Entra ID) to the Cloudflare Platform. This ensures Cloudflare stays in sync with your identity provider, letting you apply Permission Policies to those synced groups directly within the Cloudflare Dashboard.  
Note  
SCIM Virtual Groups (identified by the pattern `CF-<accountID>-<Role Name>` in your IdP) are deprecated as of 06/02/25\. We recommend migrating SCIM Virtual Groups implementations to use [SCIM User Groups](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/). If you did not use Virtual Groups, no action is needed.

**Revamped Permission Policies UI \[BETA\]**: As Cloudflare's services have grown, so has the need for precise, role-based access control. We've given the Permission Policies builder a visual overhaul to make it much easier for administrators to find and define the exact permissions they want for specific principals.  
![Updated Permissions Policy UX](https://developers.cloudflare.com/_astro/2025-06-02-permissions-policy-ux.2wLEPgVX_7gPgJ.webp)  
Note  
When opting into the Beta for User Groups and Permission Policies, you'll be transitioning to a new experience. Please be aware that opting out isn't currently available.  
For more info:

  * [Get started with User Groups](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/)
  * [Explore our SCIM integration guide](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/)

Jun 02, 2025
1. ### [WAF Release - 2025-06-02](https://developers.cloudflare.com/changelog/post/2025-06-02-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s roundup highlights five high-risk vulnerabilities affecting SD-WAN, load balancers, and AI platforms. Several flaws enable unauthenticated remote code execution or authentication bypass.

**Key Findings**

  * Versa Concerto SD-WAN (CVE-2025-34026, CVE-2025-34027): Authentication bypass vulnerabilities allow attackers to gain unauthorized access to SD-WAN management interfaces, compromising network segmentation and control.
  * Kemp LoadMaster (CVE-2024-7591): Remote Code Execution vulnerability enables attackers to execute arbitrary commands, potentially leading to full device compromise within enterprise load balancing environments.
  * AnythingLLM (CVE-2024-0759): Server-Side Request Forgery (SSRF) flaw allows external attackers to force the LLM backend to make unauthorized internal network requests, potentially exposing sensitive internal resources.
  * Anyscale Ray (CVE-2023-48022): Remote Code Execution vulnerability affecting distributed AI workloads, allowing attackers to execute arbitrary code on Ray cluster nodes.
  * Server-Side Request Forgery (SSRF) - Generic & Obfuscated Payloads: Ongoing advancements in SSRF payload techniques observed, including obfuscation and expanded targeting of cloud metadata services and internal IP ranges.

**Impact**  
These vulnerabilities expose critical infrastructure across networking, AI platforms, and SaaS integrations. Unauthenticated RCE and auth bypass flaws in Versa Concerto, Kemp LoadMaster, and Anyscale Ray allow full system compromise. AnythingLLM and SSRF payload variants expand attack surfaces into internal cloud resources, sensitive APIs, and metadata services, increasing risk of privilege escalation, data theft, and persistent access.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                 | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...39b52f02 | 100764         | Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34027    | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...a34edb97 | 100765         | Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34026    | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...0d99b2db | 100766         | Kemp LoadMaster - Remote Code Execution - CVE:CVE-2024-7591 | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...95aa3a4f | 100767         | AnythingLLM - SSRF - CVE:CVE-2024-0759                      | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...840a0966 | 100768         | Anyscale Ray - Remote Code Execution - CVE:CVE-2023-48022   | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...9d16ee18 | 100781         | SSRF - Generic Payloads                                     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...5c963d9d | 100782         | SSRF - Obfuscated Payloads                                  | N/A             | Disabled   | This is a New Detection |

May 30, 2025
1. ### [Cloudflare Pages builds now provide Node.js v22 by default](https://developers.cloudflare.com/changelog/post/2025-05-30-pages-build-image-v3/)  
[ Pages ](https://developers.cloudflare.com/pages/)  
When you use the built-in build system that is part of [Cloudflare Pages](https://developers.cloudflare.com/pages/), the [Build Image](https://developers.cloudflare.com/pages/configuration/build-image/) now includes Node.js v22\. Previously, Node.js v18 was provided by default, and Node.js v18 is now end-of-life (EOL).  
If you are creating a new Pages project, the new V3 build image that includes Node.js v22 will be used by default. If you have an existing Pages project, you can update to the latest build image by navigating to Settings > Build & deployments > Build system version in the Cloudflare dashboard for a specific Pages project.  
Note that you can always specify a particular version of Node.js or other built-in dependencies by [setting an environment variable](https://developers.cloudflare.com/pages/configuration/build-image/#override-default-versions).  
For more, refer to the [developer docs for Cloudflare Pages builds](https://developers.cloudflare.com/pages/configuration/build-image)

May 30, 2025
1. ### [Fine-tune image optimization — WebP now supported in Configuration Rules](https://developers.cloudflare.com/changelog/post/2025-05-30-configuration-rules-webp/)  
[ Rules ](https://developers.cloudflare.com/rules/)  
You can now enable [Polish](https://developers.cloudflare.com/images/polish/activate-polish/) with the `webp` format directly in [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/), allowing you to optimize image delivery for specific routes, user agents, or A/B tests — without applying changes zone-wide.

**What’s new:**

  * [WebP](https://developers.cloudflare.com/images/polish/compression/#webp) is now a supported [value](https://developers.cloudflare.com/rules/configuration-rules/settings/#polish) in the **Polish** setting for Configuration Rules.  
This gives you more precise control over how images are compressed and delivered, whether you're targeting modern browsers, running experiments, or tailoring performance by geography or device type.  
Learn more in the [Polish](https://developers.cloudflare.com/images/polish/) and [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/) documentation.

May 30, 2025
1. ### [Debug, profile, and view logs for your Worker in Chrome Devtools — now supported in the Cloudflare Vite plugin](https://developers.cloudflare.com/changelog/post/2025-05-21-vite-plugin-chrome-devtools/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now [debug, profile, view logs, and analyze memory usage for your Worker ↗](https://developers.cloudflare.com/workers/observability/dev-tools/) using [Chrome Devtools ↗](https://developer.chrome.com/docs/devtools) when your Worker runs locally using the [Cloudflare Vite plugin ↗](https://developers.cloudflare.com/workers/vite-plugin/).  
Previously, this was only possible if your Worker ran locally using the [Wrangler CLI ↗](https://developers.cloudflare.com/workers/wrangler/), and now you can do all the same things if your Worker uses [Vite ↗](https://vite.dev/).  
When you run `vite`, you'll now see a debug URL in your console:  
```  
  VITE v6.3.5  ready in 461 ms  
  ➜  Local:   http://localhost:5173/  ➜  Network: use --host to expose  ➜  Debug:   http://localhost:5173/__debug  ➜  press h + enter to show help  
```  
Open the URL in Chrome, and an instance of Chrome Devtools will open and connect to your Worker running locally. You can then use Chrome Devtools to debug and introspect performance issues. For example, you can navigate to the Performance tab to understand where CPU time is spent in your Worker:  
![CPU Profile](https://developers.cloudflare.com/_astro/profile.Dz8PUp_K_Z16J4tW.webp)  
For more information on how to get the most out of Chrome Devtools, refer to the following docs:

  * [Debug code by setting breakpoints](https://developers.cloudflare.com/workers/observability/dev-tools/breakpoints/)
  * [Profile CPU usage](https://developers.cloudflare.com/workers/observability/dev-tools/cpu-usage/)
  * [Observe memory usage and debug memory leaks](https://developers.cloudflare.com/workers/observability/dev-tools/memory-usage/)

May 29, 2025
1. ### [New Gateway Analytics in the Cloudflare One Dashboard](https://developers.cloudflare.com/changelog/post/gateway-analytics-v2/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources.  
You can now visualize and explore:

  * Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity.
  * Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation.
  * Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture.
  * Geographic Regions: Gain insight into the global distribution of your traffic.  
![Gateway Analytics](https://developers.cloudflare.com/_astro/gateway-analytics.BdSwbIBb_1WTkQL.webp)  
To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and go to Analytics in the side navigation bar.

May 29, 2025
1. ### [50-500ms Faster D1 REST API Requests](https://developers.cloudflare.com/changelog/post/2025-05-30-d1-rest-api-latency/)  
[ D1 ](https://developers.cloudflare.com/d1/)[ Workers ](https://developers.cloudflare.com/workers/)  
Users using Cloudflare's [REST API](https://developers.cloudflare.com/api/resources/d1/) to query their D1 database can see lower end-to-end request latency now that D1 authentication is performed at the closest Cloudflare network data center that received the request. Previously, authentication required D1 REST API requests to proxy to Cloudflare's core, centralized data centers, which added network round trips and latency.  
Latency improvements range from 50-500 ms depending on request location and [database location](https://developers.cloudflare.com/d1/configuration/data-location/) and only apply to the REST API. REST API requests and databases outside the United States see a bigger benefit since Cloudflare's primary core data centers reside in the United States.  
D1 query endpoints like `/query` and `/raw` have the most noticeable improvements since they no longer access Cloudflare's core data centers. D1 control plane endpoints such as those to create and delete databases see smaller improvements, since they still require access to Cloudflare's core data centers for other control plane metadata.

May 28, 2025
1. ### [Playwright MCP server is now compatible with Browser Rendering](https://developers.cloudflare.com/changelog/post/2025-05-28-playwright-mcp/)  
[ Browser Run ](https://developers.cloudflare.com/browser-run/)  
We're excited to share that you can now use the [Playwright MCP ↗](https://github.com/cloudflare/playwright-mcp) server with Browser Rendering.  
Once you [deploy the server](https://developers.cloudflare.com/browser-run/playwright/playwright-mcp/#deploying), you can use any MCP client with it to interact with Browser Rendering. This allows you to run AI models that can automate browser tasks, such as taking screenshots, filling out forms, or scraping data.  
![Access Analytics](https://developers.cloudflare.com/_astro/playground-ai-screenshot.v44jFMBu_Z1xgc6e.webp)  
Playwright MCP is available as an npm package at [@cloudflare/playwright-mcp ↗](https://www.npmjs.com/package/@cloudflare/playwright-mcp). To install it, type:  
 npm  yarn  pnpm  bun  
```  
npm i -D @cloudflare/playwright-mcp  
```  
```  
yarn add -D @cloudflare/playwright-mcp  
```  
```  
pnpm add -D @cloudflare/playwright-mcp  
```  
```  
bun add -d @cloudflare/playwright-mcp  
```  
Deploying the server is then as easy as:  
TypeScript  
```  
import { env } from "cloudflare:workers";import { createMcpAgent } from "@cloudflare/playwright-mcp";  
export const PlaywrightMCP = createMcpAgent(env.BROWSER);export default PlaywrightMCP.mount("/sse");  
```  
Check out the full code at [GitHub ↗](https://github.com/cloudflare/playwright-mcp).  
Learn more about Playwright MCP in our [documentation](https://developers.cloudflare.com/browser-run/playwright/playwright-mcp/).

May 28, 2025
1. ### [Updated attack score model](https://developers.cloudflare.com/changelog/post/2025-05-28-updated-attack-score-model/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
We have deployed an updated attack score model focused on enhancing the detection of multiple false positives (FPs).  
As a result of this improvement, some changes in observed attack scores are expected.

May 27, 2025
1. ### [Increased limits for Cloudflare for SaaS and Secrets Store free and Pay-as-you-go plans](https://developers.cloudflare.com/changelog/post/2025-05-19-paygo-updates/)  
[ SSL/TLS ](https://developers.cloudflare.com/ssl/)[ Cloudflare for SaaS ](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/)[ Secrets Store ](https://developers.cloudflare.com/secrets-store/)  
With upgraded limits to [all free and paid plans ↗](https://www.cloudflare.com/plans/), you can now scale more easily with [Cloudflare for SaaS ↗](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) and [Secrets Store ↗](https://developers.cloudflare.com/secrets-store/).  
[Cloudflare for SaaS ↗](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) allows you to extend the benefits of Cloudflare to your customers via their own custom or vanity domains. Now, the [limit for custom hostnames ↗](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/plans/) on a Cloudflare for SaaS Pay-as-you-go plan has been **raised from 5,000 custom hostnames to 50,000 custom hostnames.**  
With custom origin server -- previously an enterprise-only feature -- you can route traffic from one or more custom hostnames somewhere other than your default proxy fallback. [Custom origin server ↗](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/custom-origin/) is now available to Cloudflare for SaaS customers on Free, Pro, and Business plans.  
You can enable custom origin server on a per-custom hostname basis [via the API ↗](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/methods/edit/) or the UI:  
![Import repo or choose template](https://developers.cloudflare.com/_astro/custom-origin-server.B-BXcG-1_ZUd9i6.webp)  
Currently [in beta with a Workers integration ↗](https://blog.cloudflare.com/secrets-store-beta/), [Cloudflare Secrets Store ↗](https://developers.cloudflare.com/secrets-store/) allows you to store, manage, and deploy account level secrets from a secure, centralized platform your [Cloudflare Workers ↗](https://developers.cloudflare.com/workers/). Now, you can create and deploy **100 secrets per account**. Try it out [in the dashboard ↗](http://dash.cloudflare.com/?to=/:account/secrets-store), with [Wrangler ↗](https://developers.cloudflare.com/secrets-store/integrations/workers/), or [via the API ↗](https://developers.cloudflare.com/api/resources/secrets%5Fstore/) today.

May 27, 2025
1. ### [Gateway Protocol Detection Now Available for Pay-as-you-go and Free Plans](https://developers.cloudflare.com/changelog/post/2025-05-27-protocol-detection-availability/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans.  
With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier.  
This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/).

May 27, 2025
1. ### [WAF Release - 2025-05-27](https://developers.cloudflare.com/changelog/post/2025-05-27-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s roundup covers nine vulnerabilities, including six critical RCEs and one dangerous file upload. Affected platforms span cloud services, CI/CD pipelines, CMSs, and enterprise backup systems. Several are now addressed by updated WAF managed rulesets.

**Key Findings**

  * Ingress-Nginx (CVE-2025-1098): Unauthenticated RCE via unsafe annotation handling. Impacts Kubernetes clusters.
  * GitHub Actions (CVE-2025-30066): RCE through malicious workflow inputs. Targets CI/CD pipelines.
  * Craft CMS (CVE-2025-32432): Template injection enables unauthenticated RCE. High risk to content-heavy sites.
  * F5 BIG-IP (CVE-2025-31644): RCE via TMUI exploit, allowing full system compromise.
  * AJ-Report (CVE-2024-15077): RCE through untrusted template execution. Affects reporting dashboards.
  * NAKIVO Backup (CVE-2024-48248): RCE via insecure script injection. High-value target for ransomware.
  * SAP NetWeaver (CVE-2025-31324): Dangerous file upload flaw enables remote shell deployment.
  * Ivanti EPMM (CVE-2025-4428, 4427): Auth bypass allows full access to mobile device management.
  * Vercel (CVE-2025-32421): Information leak via misconfigured APIs. Useful for attacker recon.

**Impact**  
These vulnerabilities expose critical components across Kubernetes, CI/CD pipelines, and enterprise systems to severe threats including unauthenticated remote code execution, authentication bypass, and information leaks. High-impact flaws in Ingress-Nginx, Craft CMS, F5 BIG-IP, and NAKIVO Backup enable full system compromise, while SAP NetWeaver and AJ-Report allow remote shell deployment and template-based attacks. Ivanti EPMM’s auth bypass further risks unauthorized control over mobile device fleets.  
GitHub Actions and Vercel introduce supply chain and reconnaissance risks, allowing malicious workflow inputs and data exposure that aid in targeted exploitation. Organizations should prioritize immediate patching, enhance monitoring, and deploy updated WAF and IDS signatures to defend against likely active exploitation.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                      | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ---------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...d127592a | 100746         | Vercel - Information Disclosure                                  | Log             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...95442495 | 100754         | AJ-Report - Remote Code Execution - CVE:CVE-2024-15077           | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...dfee7ae4 | 100756         | NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248       | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...1c52f6d0 | 100757         | Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098        | Log             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...95442495 | 100759         | SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324       | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...5366ccc1 | 100760         | Craft CMS - Remote Code Execution - CVE:CVE-2025-32432           | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...eb40686b | 100761         | GitHub Action - Remote Code Execution - CVE:CVE-2025-30066       | Log             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...60fc041c | 100762         | Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427 | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...ebafdfe6 | 100763         | F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644           | Log             | Disabled   | This is a New Detection |

May 23, 2025
1. ### [New GraphQL Analytics API Explorer and MCP Server](https://developers.cloudflare.com/changelog/post/2025-05-23-graphql-api-explorer/)  
[ Analytics ](https://developers.cloudflare.com/analytics/)  
We’ve launched two powerful new tools to make the GraphQL Analytics API more accessible:  
#### GraphQL API Explorer  
The new [GraphQL API Explorer ↗](https://graphql.cloudflare.com/explorer) helps you build, test, and run queries directly in your browser. Features include:

  * In-browser schema documentation to browse available datasets and fields
  * Interactive query editor with autocomplete and inline documentation
  * A "Run in GraphQL API Explorer" button to execute example queries from our docs
  * Seamless OAuth authentication — no manual setup required  
![GraphQL API Explorer](https://developers.cloudflare.com/_astro/graphql-api-explorer.CPUNZZ5B_1RXsdE.webp)  
#### GraphQL Model Context Protocol (MCP) Server  
MCP Servers let you use natural language tools like Claude to generate structured queries against your data. See our [blog post ↗](https://blog.cloudflare.com/thirteen-new-mcp-servers-from-cloudflare/) for details on how they work and which servers are available. The new [GraphQL MCP server ↗](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/graphql) helps you discover and generate useful queries for the GraphQL Analytics API. With this server, you can:

  * Explore what data is available to query
  * Generate and refine queries using natural language, with one-click links to run them in the API Explorer
  * Build dashboards and visualizations from structured query outputs  
Example prompts include:

  * “Show me HTTP traffic for the last 7 days for example.com”
  * “What GraphQL node returns firewall events?”
  * “Can you generate a link to the Cloudflare GraphQL API Explorer with a pre-populated query and variables?”  
We’re continuing to expand these tools, and your feedback helps shape what’s next. [Explore the documentation](https://developers.cloudflare.com/analytics/graphql-api/) to learn more and get started.

May 22, 2025
1. ### [Handle incoming request cancellation in Workers with Request.signal](https://developers.cloudflare.com/changelog/post/2025-05-22-handle-request-cancellation/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
In Cloudflare Workers, you can now attach an event listener to [Request](https://developers.cloudflare.com/workers/runtime-apis/request/) objects, using the [signal property ↗](https://developer.mozilla.org/en-US/docs/Web/API/Request/signal). This allows you to perform tasks when the request to your Worker is canceled by the client. To use this feature, you must set the [enable\_request\_signal](https://developers.cloudflare.com/workers/configuration/compatibility-flags/#enable-requestsignal-for-incoming-requests) compatibility flag.  
You can use a listener to perform cleanup tasks or write to logs before your Worker's invocation ends. For example, if you run the Worker below, and then abort the request from the client, a log will be written:

  * [  JavaScript ](#tab-panel-4879)
  * [  TypeScript ](#tab-panel-4880)  
index.js  
```  
export default {  async fetch(request, env, ctx) {    // This sets up an event listener that will be called if the client disconnects from your    // worker.    request.signal.addEventListener("abort", () => {      console.log("The request was aborted!");    });  
    const { readable, writable } = new IdentityTransformStream();    sendPing(writable);    return new Response(readable, {      headers: { "Content-Type": "text/plain" },    });  },};  
async function sendPing(writable) {  const writer = writable.getWriter();  const enc = new TextEncoder();  
  for (;;) {    // Send 'ping' every second to keep the connection alive    await writer.write(enc.encode("ping\r\n"));    await scheduler.wait(1000);  }}  
```  
index.ts  
```  
export default {  async fetch(request, env, ctx): Promise<Response> {    // This sets up an event listener that will be called if the client disconnects from your    // worker.    request.signal.addEventListener('abort', () => {      console.log('The request was aborted!');    });  
    const { readable, writable } = new IdentityTransformStream();    sendPing(writable);    return new Response(readable, { headers: { 'Content-Type': 'text/plain' } });  },} satisfies ExportedHandler<Env>;  
async function sendPing(writable: WritableStream): Promise<void> {  const writer = writable.getWriter();  const enc = new TextEncoder();  
  for (;;) {    // Send 'ping' every second to keep the connection alive    await writer.write(enc.encode('ping\r\n'));    await scheduler.wait(1000);  }}  
```  
For more information see the [Request documentation](https://developers.cloudflare.com/workers/runtime-apis/request).

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/32/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/32/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
