---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

May 19, 2025
1. ### [WAF Release - 2025-05-19](https://developers.cloudflare.com/changelog/post/2025-05-19-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week's analysis covers four vulnerabilities, with three rated critical due to their Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of the Cloudflare Managed Ruleset in _Block_ mode.

**Key Findings**

  * Commvault Command Center (CVE-2025-34028) exposes an unauthenticated RCE via insecure command injection paths in the web UI. This is critical due to its use in enterprise backup environments.
  * BentoML (CVE-2025-27520) reveals an exploitable vector where serialized payloads in model deployment APIs can lead to arbitrary command execution. This targets modern AI/ML infrastructure.
  * Craft CMS (CVE-2024-56145) allows RCE through template injection in unauthenticated endpoints. It poses a significant risk for content-heavy websites with plugin extensions.
  * Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured `mod_proxy` behavior. While not RCE, this is useful for pre-attack recon.

**Impact**  
These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort.  
Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                           | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | --------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...75129820 | 100745         | Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475      | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...26a517f1 | 100747         | Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028 | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...d7619ccb | 100749         | BentoML - Remote Code Execution - CVE:CVE-2025-27520                  | Log             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...f15bfda4 | 100753         | Craft CMS - Remote Code Execution - CVE:CVE-2024-56145                | Log             | Block      | This is a New Detection |

May 18, 2025
1. ### [New Applications Added to Zero Trust](https://developers.cloudflare.com/changelog/post/new-applications-71825/)  
[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
42 new applications have been added for Zero Trust support within the Application Library and Gateway policy enforcement, giving you the ability to investigate or apply inline policies to these applications.  
33 of the 42 applications are Artificial Intelligence applications. The others are Human Resources (2 applications), Development (2 applications), Productivity (2 applications), Sales & Marketing, Public Cloud, and Security.  
To view all available applications, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), navigate to the **App Library** under **My Team**.  
For more information on creating Gateway policies, see our [Gateway policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/).

May 16, 2025
1. ### [New Access Analytics in the Cloudflare One Dashboard](https://developers.cloudflare.com/changelog/post/access-analytics-v2/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
A new Access Analytics dashboard is now available to all Cloudflare One customers. Customers can apply and combine multiple filters to dive into specific slices of their Access metrics. These filters include:

  * Logins granted and denied
  * Access events by type (SSO, Login, Logout)
  * Application name (Salesforce, Jira, Slack, etc.)
  * Identity provider (Okta, Google, Microsoft, onetimepin, etc.)
  * Users (`chris@cloudflare.com`, `sally@cloudflare.com`, `rachel@cloudflare.com`, etc.)
  * Countries (US, CA, UK, FR, BR, CN, etc.)
  * Source IP address
  * App type (self-hosted, Infrastructure, RDP, etc.)  
![Access Analytics](https://developers.cloudflare.com/_astro/accessanalytics.DYXgwZCl_Z2PPi7.webp)  
To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Analytics in the side navigation bar.

May 16, 2025
1. ### [Durable Objects are now supported in Python Workers](https://developers.cloudflare.com/changelog/post/2025-05-14-python-worker-durable-object/)  
[ Workers ](https://developers.cloudflare.com/workers/)[ Durable Objects ](https://developers.cloudflare.com/durable-objects/)  
You can now create [Durable Objects](https://developers.cloudflare.com/durable-objects/) using [Python Workers](https://developers.cloudflare.com/workers/languages/python/). A Durable Object is a special kind of Cloudflare Worker which uniquely combines compute with storage, enabling stateful long-running applications which run close to your users. For more info see [here](https://developers.cloudflare.com/durable-objects/concepts/what-are-durable-objects/).  
You can define a Durable Object in Python in a similar way to JavaScript:  
Python  
```  
from workers import DurableObject, Response, WorkerEntrypoint  
from urllib.parse import urlparse  
class MyDurableObject(DurableObject):    def __init__(self, ctx, env):        self.ctx = ctx        self.env = env  
    def fetch(self, request):        result = self.ctx.storage.sql.exec("SELECT 'Hello, World!' as greeting").one()        return Response(result.greeting)  
class Default(WorkerEntrypoint):    async def fetch(self, request):        url = urlparse(request.url)        id = env.MY_DURABLE_OBJECT.idFromName(url.path)        stub = env.MY_DURABLE_OBJECT.get(id)        greeting = await stub.fetch(request.url)        return greeting  
```  
Define the Durable Object in your Wrangler configuration file:

  * [  wrangler.jsonc ](#tab-panel-4883)
  * [  wrangler.toml ](#tab-panel-4884)  
JSONC  
```  
{  "durable_objects": {    "bindings": [      {        "name": "MY_DURABLE_OBJECT",        "class_name": "MyDurableObject"      }    ]  }}  
```  
TOML  
```  
[[durable_objects.bindings]]name = "MY_DURABLE_OBJECT"class_name = "MyDurableObject"  
```  
Then define the storage backend for your Durable Object:

  * [  wrangler.jsonc ](#tab-panel-4885)
  * [  wrangler.toml ](#tab-panel-4886)  
JSONC  
```  
{  "migrations": [    {      "tag": "v1", // Should be unique for each entry      "new_sqlite_classes": [ // Array of new classes        "MyDurableObject"      ]    }  ]}  
```  
TOML  
```  
[[migrations]]tag = "v1"new_sqlite_classes = [ "MyDurableObject" ]  
```  
Then test your new Durable Object locally by running `wrangler dev`:  
Terminal window  
```  
npx wrangler dev  
```  
Consult the [Durable Objects documentation](https://developers.cloudflare.com/durable-objects/) for more details.

May 15, 2025
1. ### [Open email attachments with Browser Isolation](https://developers.cloudflare.com/changelog/post/2025-05-08-open-attachments-with-browser-isolation/)  
[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)  
You can now safely open email attachments to view and investigate them.  
What this means is that messages now have a **Attachments** section. Here, you can view processed attachments and their classifications (for example, _Malicious_, _Suspicious_, _Encrypted_). Next to each attachment, a **Browser Isolation** icon allows your team to safely open the file in a **clientless, isolated browser** with no risk to the analyst or your environment.  
![Attachment-RBI](https://developers.cloudflare.com/_astro/Attachment-RBI.U9Dp8dJO_265xjw.webp)  
To use this feature, you must:

  * Turn on **Allow users to open a remote browser without the device client** in your Zero Trust settings.
  * Have **Browser Isolation (BISO)** seats assigned.  
For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).  
Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact.  
This feature is available across these Email security packages:

  * **Advantage**
  * **Enterprise**
  * **Enterprise + PhishGuard**

May 14, 2025
1. ### [Domain Categories improvements](https://developers.cloudflare.com/changelog/post/2025-05-14-domain-category-improvements/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  

**New categories added**

| Parent ID | Parent Name           | Category ID | Category Name                 |
| --------- | --------------------- | ----------- | ----------------------------- |
| 1         | Ads                   | 66          | Advertisements                |
| 3         | Business & Economy    | 185         | Personal Finance              |
| 3         | Business & Economy    | 186         | Brokerage & Investing         |
| 21        | Security Threats      | 187         | Compromised Domain            |
| 21        | Security Threats      | 188         | Potentially Unwanted Software |
| 6         | Education             | 189         | Reference                     |
| 9         | Government & Politics | 190         | Charity and Non-profit        |

**Changes to existing categories**

| Original Name | New Name                |
| ------------- | ----------------------- |
| Religion      | Religion & Spirituality |
| Government    | Government/Legal        |
| Redirect      | URL Alias/Redirect      |  
Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more.

May 14, 2025
1. ### [Hyperdrive achieves FedRAMP Moderate-Impact Authorization](https://developers.cloudflare.com/changelog/post/2025-05-14-hyperdrive-fedramp/)  
[ Hyperdrive ](https://developers.cloudflare.com/hyperdrive/)  
Hyperdrive has been approved for FedRAMP Authorization and is now available in the [FedRAMP Marketplace ↗](https://marketplace.fedramp.gov/products/FR2000863987).  
FedRAMP is a U.S. government program that provides standardized assessment and authorization for cloud products and services. As a result of this product update, Hyperdrive has been approved as an authorized service to be used by U.S. federal agencies at the Moderate Impact level.  
For detailed information regarding FedRAMP and its implications, please refer to the [official FedRAMP documentation for Cloudflare ↗](https://marketplace.fedramp.gov/products/FR2000863987).

May 14, 2025
1. ### [Introducing Origin Restrictions for Media Transformations](https://developers.cloudflare.com/changelog/post/2025-05-14-media-transformations-origin-restrictions/)  
[ Stream ](https://developers.cloudflare.com/stream/)  
We are adding [source origin restrictions](https://developers.cloudflare.com/stream/transform-videos/sources/) to the Media Transformations beta. This allows customers to restrict what sources can be used to fetch images and video for transformations. This feature is the same as --- and uses the same settings as --- [Image Transformations sources](https://developers.cloudflare.com/images/optimization/transformations/sources/).  
When transformations is first enabled, the default setting only allows transformations on images and media from the same website or domain being used to make the transformation request. In other words, by default, requests to `example.com/cdn-cgi/media` can only reference originals on `example.com`.  
![Enable allowed origins from the Cloudflare dashboard](https://developers.cloudflare.com/_astro/allowed-origins.4hu5lHws_ZsjEgI.webp)  
Adding access to other sources, or allowing any source, [is easy to do](https://developers.cloudflare.com/images/optimization/transformations/sources/)in the **Transformations** tab under **Stream**. Click each domain enabled for Transformations and set its sources list to match the needs of your content. The user making this change will need permission to edit zone settings.  
For more information, learn about [Transforming Videos](https://developers.cloudflare.com/stream/transform-videos/).

May 13, 2025
1. ### [SAML HTTP-POST bindings support for RBI](https://developers.cloudflare.com/changelog/post/2025-05-13-rbi-saml-post-support/)  
[ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)  
Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused `405` errors during login and improves compatibility with multi-factor authentication (MFA) flows.  
With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/).

May 13, 2025
1. ### [New Applications Added for DNS Filtering](https://developers.cloudflare.com/changelog/post/2025-05-13-new-applications-added/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic.  
With this update, you can:

  * Create DNS policies for a wider range of applications
  * Manage outbound traffic more effectively
  * Improve your organization's security and compliance posture  
For more information on creating DNS policies, see our [DNS policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/).

May 12, 2025
1. ### [Case Sensitive Custom Word Lists](https://developers.cloudflare.com/changelog/post/2025-05-12-case-sensitive-cwl/)  
[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)  
You can now configure [custom word lists](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#custom-wordlist-datasets) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical.  
![dlp](https://developers.cloudflare.com/_astro/case-sesitive-cwl.MPuOc_3r_220dca.webp)

May 09, 2025
1. ### [Publish messages to Queues directly via HTTP](https://developers.cloudflare.com/changelog/post/2025-05-09-publish-to-queues-via-http/)  
[ Queues ](https://developers.cloudflare.com/queues/)  
You can now publish messages to [Cloudflare Queues](https://developers.cloudflare.com/queues/) directly via HTTP from any service or programming language that supports sending HTTP requests. Previously, publishing to queues was only possible from within [Cloudflare Workers](https://developers.cloudflare.com/workers/). You can already consume from queues via Workers or [HTTP pull consumers](https://developers.cloudflare.com/queues/configuration/pull-consumers/), and now publishing is just as flexible.  
Publishing via HTTP requires a [Cloudflare API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with `Queues Edit` permissions for authentication. Here's a simple example:  
Terminal window  
```  
curl "https://api.cloudflare.com/client/v4/accounts/<account_id>/queues/<queue_id>/messages" \  -X POST \  -H 'Authorization: Bearer <api_token>' \  --data '{ "body": { "greeting": "hello", "timestamp":  "2025-07-24T12:00:00Z"} }'  
```  
You can also use our [SDKs](https://developers.cloudflare.com/fundamentals/api/reference/sdks/) for TypeScript, Python, and Go.  
To get started with HTTP publishing, check out our [step-by-step example](https://developers.cloudflare.com/queues/examples/publish-to-a-queue-via-http/) and the full API documentation in our [API reference](https://developers.cloudflare.com/api/resources/queues/subresources/messages/methods/push/).

May 09, 2025
1. ### [More ways to match — Snippets now support Custom Lists, Bot Score, and WAF Attack Score](https://developers.cloudflare.com/changelog/post/2025-05-09-snippets-cloud-connector-lists-waf-bot-scores/)  
[ Rules ](https://developers.cloudflare.com/rules/)  
You can now use IP, Autonomous System (AS), and Hostname [custom lists](https://developers.cloudflare.com/waf/tools/lists/custom-lists/) to route traffic to [Snippets](https://developers.cloudflare.com/rules/snippets/) and [Cloud Connector](https://developers.cloudflare.com/rules/cloud-connector/), giving you greater precision and control over how you match and process requests at the edge.  
In Snippets, you can now also match on [Bot Score](https://developers.cloudflare.com/bots/concepts/bot-score/) and [WAF Attack Score](https://developers.cloudflare.com/waf/detections/attack-score/), unlocking smarter edge logic for everything from request filtering and mitigation to [tarpitting](https://developers.cloudflare.com/rules/snippets/examples/slow-suspicious-requests/) and logging.

**What’s new:**

  * [Custom lists](https://developers.cloudflare.com/waf/tools/lists/custom-lists/) matching – Snippets and Cloud Connector now support user-created IP, AS, and Hostname lists via dashboard or [Lists API](https://developers.cloudflare.com/api/resources/rules/subresources/lists/methods/list/). Great for shared logic across zones.
  * [Bot Score](https://developers.cloudflare.com/bots/concepts/bot-score/) and [WAF Attack Score](https://developers.cloudflare.com/waf/detections/attack-score/) – Use Cloudflare’s intelligent traffic signals to detect bots or attacks and take advanced, tailored actions with just a few lines of code.  
![New fields in Snippets](https://developers.cloudflare.com/_astro/snippets-lists-scores.D05l6zgc_ZG4Rof.webp)  
These enhancements unlock new possibilities for building smarter traffic workflows with minimal code and maximum efficiency.  
Learn more in the [Snippets](https://developers.cloudflare.com/rules/snippets/) and [Cloud Connector](https://developers.cloudflare.com/rules/cloud-connector/) documentation.

May 08, 2025
1. ### [Open email links with Browser Isolation](https://developers.cloudflare.com/changelog/post/2025-05-15-open-links-browser-isolation/)  
[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)  
You can now safely open links in emails to view and investigate them.  
![Open links with Browser Isolation](https://developers.cloudflare.com/_astro/investigate-links.pYbpGkt5_Z1DQRHU.webp)  
From **Investigation**, go to **View details**, and look for the **Links identified** section. Next to each link, the Cloudflare dashboard will display an **Open in Browser Isolation** icon which allows your team to safely open the link in a clientless, isolated browser with no risk to the analyst or your environment. Refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links) to learn more about this feature.  
To use this feature, you must:

  * Turn on **Allow users to open a remote browser without the device client** in your Zero Trust settings.
  * Have **Browser Isolation (RBI)** seats assigned.  
For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).  
This feature is available across these Email security packages:

  * **Advantage**
  * **Enterprise**
  * **Enterprise + PhishGuard**

May 08, 2025
1. ### [URL Scanner now supports geo-specific scanning](https://developers.cloudflare.com/changelog/post/2025-05-07-url-scanner-geoegress/)  
[ Security Center ](https://developers.cloudflare.com/security-center/)  
Enterprise customers can now choose the geographic location from which a URL scan is performed — either via [Security Center](https://developers.cloudflare.com/security-center/investigate/) in the Cloudflare dashboard or via the [URL Scanner API](https://developers.cloudflare.com/api/resources/url%5Fscanner/subresources/scans/methods/create/).  
This feature gives security teams greater insight into how a website behaves across different regions, helping uncover targeted, location-specific threats.

**What’s new:**

  * Location Picker: Select a location for the scan via **Security Center → Investigate** in the dashboard or through the API.
  * Region-aware scanning: Understand how content changes by location — useful for detecting regionally tailored attacks.
  * Default behavior: If no location is set, scans default to the user’s current geographic region.  
Learn more in the [Security Center documentation](https://developers.cloudflare.com/security-center/).

May 08, 2025
1. ### [Improved Payload Logging for WAF Managed Rules](https://developers.cloudflare.com/changelog/post/2025-05-08-improved-payload-logging/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
We have upgraded WAF Payload Logging to enhance rule diagnostics and usability:

  * **Targeted logging**: Logs now capture only the specific portions of requests that triggered WAF rules, rather than entire request segments.
  * **Visual highlighting**: Matched content is visually highlighted in the UI for faster identification.
  * **Enhanced context**: Logs now include surrounding context to make diagnostics more effective.  
![Log entry showing payload logging details](https://developers.cloudflare.com/_astro/2025-05-payload-logging-update.1M29LjNm_Z23wApX.webp)  
Payload Logging is available to all Enterprise customers. If you have not used Payload Logging before, check how you can [get started](https://developers.cloudflare.com/waf/managed-rules/payload-logging/).

**Note:** The structure of the `encrypted_matched_data` field in Logpush has changed from `Map<Field, Value>` to `Map<Field, {Before: bytes, Content: Value, After: bytes}>`. If you rely on this field in your Logpush jobs, you should review and update your processing logic accordingly.

May 08, 2025
1. ### [Improved memory efficiency for WebAssembly Workers](https://developers.cloudflare.com/changelog/post/2025-05-08-finalization-registry/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
[FinalizationRegistry ↗](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global%5FObjects/FinalizationRegistry) is now available in Workers. You can opt-in using the [enable\_weak\_ref](https://developers.cloudflare.com/workers/configuration/compatibility-flags/#enable-finalizationregistry-and-weakref) compatibility flag.  
This can reduce memory leaks when using WebAssembly-based Workers, which includes [Python Workers](https://developers.cloudflare.com/workers/languages/python/) and [Rust Workers](https://developers.cloudflare.com/workers/languages/rust/). The FinalizationRegistry works by enabling toolchains such as [Emscripten ↗](https://emscripten.org/) and [wasm-bindgen ↗](https://wasm-bindgen.github.io/wasm-bindgen/) to automatically free WebAssembly heap allocations. If you are using WASM and seeing Exceeded Memory errors and cannot determine a cause using [memory profiling](https://developers.cloudflare.com/workers/observability/dev-tools/memory-usage/), you may want to enable the FinalizationRegistry.  
For more information refer to the [enable\_weak\_ref](https://developers.cloudflare.com/workers/configuration/compatibility-flags/#enable-finalizationregistry-and-weakref) compatibility flag documentation.

May 07, 2025
1. ### [Send forensic copies to storage without DLP profiles](https://developers.cloudflare.com/changelog/post/2025-05-07-forensic-copy-update/)  
[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)  
You can now [send DLP forensic copies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases.  
By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs.  
![DLP](https://developers.cloudflare.com/_astro/forensic-copies-for-all.fxeFrCY4_Z1rCUy9.webp)

May 06, 2025
1. ### [UDP and ICMP Monitor Support for Private Load Balancing Endpoints](https://developers.cloudflare.com/changelog/post/2025-05-06-private-health-monitoring-methods/)  
[ Load Balancing ](https://developers.cloudflare.com/load-balancing/)  
Cloudflare Load Balancing now supports **UDP (Layer 4)** and **ICMP (Layer 3)** health monitors for **private endpoints**. This makes it simple to track the health and availability of internal services that don’t respond to HTTP, TCP, or other protocol probes.  
#### What you can do:

  * Set up **ICMP ping monitors** to check if your private endpoints are reachable.
  * Use **UDP monitors** for lightweight health checks on non-TCP workloads, such as DNS, VoIP, or custom UDP-based services.
  * Gain better visibility and uptime guarantees for services running behind **Private Network Load Balancing**, without requiring public IP addresses.  
This enhancement is ideal for internal applications that rely on low-level protocols, especially when used in conjunction with [**Cloudflare Tunnel**](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), [**WARP**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), and [**Magic WAN**](https://developers.cloudflare.com/cloudflare-wan/) to create a secure and observable private network.  
Learn more about [Private Network Load Balancing](https://developers.cloudflare.com/load-balancing/private-network/) or view the full list of [supported health monitor protocols](https://developers.cloudflare.com/load-balancing/monitors/#supported-protocols).

May 06, 2025
1. ### [Terraform v5.4.0 now available](https://developers.cloudflare.com/changelog/post/2025-05-06-terraform-v540-provider/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/)  
Earlier this year, we announced the launch of the new [Terraform v5 Provider](https://developers.cloudflare.com/changelog/2025-02-03-terraform-v5-provider/). Unlike the earlier Terraform providers, v5 is automatically generated based on the OpenAPI Schemas for our REST APIs. Since launch, we have seen an unexpectedly high number of [issues ↗](https://github.com/cloudflare/terraform-provider-cloudflare) reported by customers. These issues currently impact about 15% of resources. We have been working diligently to address these issues across the company, and have released the v5.4.0 release which includes a number of bug fixes. Please keep an eye on this changelog for more information about upcoming releases.  
#### Changes

  * Removes the `worker_platforms_script_secret` resource from the provider (see [migration guide ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade#cloudflare%5Fworker%5Fsecret) for alternatives—applicable to both Workers and Workers for Platforms)
  * Removes duplicated fields in `cloudflare_cloud_connector_rules` resource
  * Fixes `cloudflare_workers_route` id issues [#5134 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5134) [#5501 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5501)
  * Fixes issue around refreshing resources that have unsupported response types Affected resources
    * `cloudflare_certificate_pack`
    * `cloudflare_registrar_domain`
    * `cloudflare_stream_download`
    * `cloudflare_stream_webhook`
    * `cloudflare_user`
    * `cloudflare_workers_kv`
    * `cloudflare_workers_script`
  * Fixes `cloudflare_workers_kv` state refresh issues
  * Fixes issues around configurability of nested properties without computed values for the following resources Affected resources
    * `cloudflare_account`
    * `cloudflare_account_dns_settings`
    * `cloudflare_account_token`
    * `cloudflare_api_token`
    * `cloudflare_cloud_connector_rules`
    * `cloudflare_custom_ssl`
    * `cloudflare_d1_database`
    * `cloudflare_dns_record`
    * `email_security_trusted_domains`
    * `cloudflare_hyperdrive_config`
    * `cloudflare_keyless_certificate`
    * `cloudflare_list_item`
    * `cloudflare_load_balancer`
    * `cloudflare_logpush_dataset_job`
    * `cloudflare_magic_network_monitoring_configuration`
    * `cloudflare_magic_transit_site`
    * `cloudflare_magic_transit_site_lan`
    * `cloudflare_magic_transit_site_wan`
    * `cloudflare_magic_wan_static_route`
    * `cloudflare_notification_policy`
    * `cloudflare_pages_project`
    * `cloudflare_queue`
    * `cloudflare_queue_consumer`
    * `cloudflare_r2_bucket_cors`
    * `cloudflare_r2_bucket_event_notification`
    * `cloudflare_r2_bucket_lifecycle`
    * `cloudflare_r2_bucket_lock`
    * `cloudflare_r2_bucket_sippy`
    * `cloudflare_ruleset`
    * `cloudflare_snippet_rules`
    * `cloudflare_snippets`
    * `cloudflare_spectrum_application`
    * `cloudflare_workers_deployment`
    * `cloudflare_zero_trust_access_application`
    * `cloudflare_zero_trust_access_group`
  * Fixed defaults that made `cloudflare_workers_script` fail when using Assets
  * Fixed Workers Logpush setting in `cloudflare_workers_script` mistakenly being readonly
  * Fixed `cloudflare_pages_project` broken when using "source"  
The detailed [changelog ↗](https://github.com/cloudflare/terraform-provider-cloudflare/releases/tag/v5.4.0) is available on GitHub.  
#### Upgrading  
If you are evaluating a move from v4 to v5, please make use of the [migration guide ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). We have provided automated migration scripts using Grit which simplify the transition, although these do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of `terraform plan` to test your changes before applying, and let us know if you encounter any additional issues either by reporting to our [GitHub repository ↗](https://github.com/cloudflare/terraform-provider-cloudflare), or by opening a [support ticket ↗](https://www.support.cloudflare.com/s/?language=en%5FUS).  
#### For more info

  * [Terraform provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs)
  * [Documentation on using Terraform with Cloudflare ↗](https://developers.cloudflare.com/terraform/)

May 05, 2025
1. ### [WAF Release - 2025-05-05](https://developers.cloudflare.com/changelog/post/2025-05-05-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week's analysis covers five CVEs with varying impact levels. Four are rated critical, while one is rated high severity. Remote Code Execution vulnerabilities dominate this set.

**Key Findings**  
GFI KerioControl (CVE-2024-52875) contains an unauthenticated Remote Code Execution (RCE) vulnerability that targets firewall appliances. This vulnerability can let attackers gain root level system access, making this CVE particularly attractive for threat actors.  
The SonicWall SMA vulnerabilities remain concerning due to their continued exploitation since 2021\. These critical vulnerabilities in remote access solutions create dangerous entry points to networks.

**Impact**  
Customers using the Managed Ruleset will receive rule coverage following this week's release. Below is a breakdown of the recommended prioritization based on current exploitation trends:

  * GFI KerioControl (CVE-2024-52875) - Highest priority; unauthenticated RCE
  * SonicWall SMA (Multiple vulnerabilities) - Critical for network appliances
  * XWiki (CVE-2025-24893) - High priority for development environments
  * Langflow (CVE-2025-3248) - Important for AI workflow platforms
  * MinIO (CVE-2025-31489) - Important for object storage implementations

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                                                        | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | -------------------------------------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...d0b7a392 | 100724         | GFI KerioControl - Remote Code Execution - CVE:CVE-2024-52875                                      | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...717a9e42 | 100748         | XWiki - Remote Code Execution - CVE:CVE-2025-24893                                                 | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...e9cf745d | 100750         | SonicWall SMA - Dangerous File Upload - CVE:CVE-2021-20040, CVE:CVE-2021-20041, CVE:CVE-2021-20042 | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...d29da333 | 100751         | Langflow - Remote Code Execution - CVE:CVE-2025-3248                                               | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...caa7b208 | 100752         | MinIO - Auth Bypass - CVE:CVE-2025-31489                                                           | Log             | Block      | This is a New Detection |

May 01, 2025
1. ### [Browser Isolation Overview page for Zero Trust](https://developers.cloudflare.com/changelog/post/2025-05-01-browser-isolation-overview-page/)  
[ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)  
A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) deployments, providing:

  * **Streamlined Onboarding:** Easily set up and manage isolation policies from one location.
  * **Quick Testing:** Validate [clientless web application isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) with ease.
  * **Simplified Configuration:** Configure [isolated access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) and policies efficiently.
  * **Centralized Monitoring:** Track aggregate usage and blocked actions.  
This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively.  
![Browser Isolation Overview](https://developers.cloudflare.com/_astro/browser-isolation-overview.Ljd5ax_O_Z1SURww.webp)  
To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Browser Isolation in the side navigation bar.

May 01, 2025
1. ### [R2 Dashboard experience gets new updates](https://developers.cloudflare.com/changelog/post/2025-05-01-r2-dashboard-updates/)  
[ R2 ](https://developers.cloudflare.com/r2/)  
We're excited to announce several improvements to the [Cloudflare R2](https://developers.cloudflare.com/r2/) dashboard experience that make managing your object storage easier and more intuitive:  
![Cloudflare R2 Dashboard](https://developers.cloudflare.com/_astro/r2-dashboard-updates.B7WXxzMk_Z2vfGut.webp)  
#### All-new settings page  
We've redesigned the bucket settings page, giving you a centralized location to manage all your bucket configurations in one place.  
#### Improved navigation and sharing

  * Deeplink support for prefix directories: Navigate through your bucket hierarchy without losing your state. Your browser's back button now works as expected, and you can share direct links to specific prefix directories with teammates.
  * Objects as clickable links: Objects are now proper links that you can copy or `CMD + Click` to open in a new tab.  
#### Clearer public access controls

  * Renamed "r2.dev domain" to "Public Development URL" for better clarity when exposing bucket contents for non-production workloads.
  * Public Access status now clearly displays "Enabled" when your bucket is exposed to the internet (via Public Development URL or Custom Domains).  
We've also made numerous other usability improvements across the board to make your R2 experience smoother and more productive.

Apr 30, 2025
1. ### [Dark Mode for Zero Trust Dashboard](https://developers.cloudflare.com/changelog/post/2025-04-30-zero-trust-dashboard-dark-mode/)  
[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
The [Cloudflare Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) now supports Cloudflare's native dark mode for all accounts and plan types.  
Zero Trust Dashboard will automatically accept your user-level preferences for system settings, so if your Dashboard appearance is set to 'system' or 'dark', the Zero Trust dashboard will enter dark mode whenever the rest of your Cloudflare account does.  
![Zero Trust dashboard supports dark mode](https://developers.cloudflare.com/_astro/dark-mode.DfLeS20d_Z2kTwNR.webp)  

  * [ Zero Trust Dashboard ](#tab-panel-4881)
  * [ Core Dashboard ](#tab-panel-4882)  
To update your view preference in the Zero Trust dashboard:

  1. Log into the [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/).
  2. Select your user icon.
  3. Select **Dark Mode**.  
To update your view preference in the Core dashboard:

  1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com).
  2. Go to **My Profile**
  3. For **Appearance**, choose **Dark**.

Apr 30, 2025
1. ### [Cloudflare One Appliance supports multiple DNS server IPs](https://developers.cloudflare.com/changelog/post/2025-04-30-appliance-multiple-dns-servers/)  
[ Cloudflare One Appliance ](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)  
Cloudflare One Appliance DHCP server settings now support specifying multiple DNS server IP addresses in the DHCP pool.  
Previously, customers could only configure a single DNS server per DHCP pool. With this update, you can specify multiple DNS servers to provide redundancy for clients at branch locations.  
For configuration details, refer to [DHCP server](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/network-options/dhcp/dhcp-server/).

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/33/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/33/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
