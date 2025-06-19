Text in Expression Editor (replace
myappexample.com with your domain):
Selected operation under Modify request header: Set static
Header name:
X-External-Workers-Subrequest
Value:
1
New updates and improvements at Cloudflare.
In AutoRAG, you can now view your object's custom metadata in the response from
/search and
/ai-search, and optionally add a
context field in the custom metadata of an object to provide additional guidance for AI-generated answers.
You can add custom metadata to an object when uploading it to your R2 bucket.
When you run a search, AutoRAG now returns any custom metadata associated with the object. This metadata appears in the response inside
attributes then
file , and can be used for downstream processing.
For example, the
attributes section of your search response may look like:
When you include a custom metadata field named
context, AutoRAG attaches that value to each chunk of the file. When you run an
/ai-search query, this
context is passed to the LLM and can be used as additional input when generating an answer.
We recommend using the
context field to describe supplemental information you want the LLM to consider, such as a summary of the document or a source URL. If you have several different metadata attributes, you can join them together however you choose within the
context string.
For example:
This gives you more control over how your content is interpreted, without requiring you to modify the original contents of the file.
Learn more in AutoRAG's metadata filtering documentation.
In AutoRAG, you can now filter by an object's file name using the
filename attribute, giving you more control over which files are searched for a given query.
This is useful when your application has already determined which files should be searched. For example, you might query a PostgreSQL database to get a list of files a user has access to based on their permissions, and then use that list to limit what AutoRAG retrieves.
For example, your search query may look like:
This allows you to connect your application logic with AutoRAG's retrieval process, making it easy to control what gets searched without needing to reindex or modify your data.
Learn more in AutoRAG's metadata filtering documentation.
Authoritative DNS analytics are now available on the account level via the Cloudflare GraphQL Analytics API.
This allows users to query DNS analytics across multiple zones in their account, by using the
accounts filter.
Here is an example to retrieve the most recent DNS queries across all zones in your account that resulted in an
NXDOMAIN response over a given time frame. Please replace
a30f822fcd7c401984bf85d8f2a5111c with your actual account ID.
To learn more and get started, refer to the DNS Analytics documentation.
We've simplified the programmatic deployment of Workers via our Cloudflare SDKs. This update abstracts away the low-level complexities of the
multipart/form-data upload process, allowing you to focus on your code while we handle the deployment mechanics.
This new interface is available in:
For complete examples, see our guide on programmatic Worker deployments.
Previously, deploying a Worker programmatically required manually constructing a
multipart/form-data HTTP request, packaging your code and a separate
metadata.json file. This was more complicated and verbose, and prone to formatting errors.
For example, here's how you would upload a Worker script previously with cURL:
With the new SDK interface, you can now define your entire Worker configuration using a single, structured object.
This approach allows you to specify metadata like
main_module,
bindings, and
compatibility_date as clearer properties directly alongside your script content. Our SDK takes this logical object and automatically constructs the complex multipart/form-data API request behind the scenes.
Here's how you can now programmatically deploy a Worker via the
cloudflare-typescript SDK ↗
View the complete example here: https://github.com/cloudflare/cloudflare-typescript/blob/main/examples/workers/script-upload.ts ↗
We've also made several fixes and enhancements to the Cloudflare Terraform provider ↗:
cloudflare_workers_script ↗ resource in Terraform, which previously was producing a diff even when there were no changes. Now, your
terraform plan outputs will be cleaner and more reliable.
cloudflare_workers_for_platforms_dispatch_namespace ↗, where the provider would attempt to recreate the namespace on a
terraform apply. The resource now correctly reads its remote state, ensuring stability for production environments and CI/CD workflows.
cloudflare_workers_route ↗ resource now allows for the
script property to be empty, null, or omitted to indicate that pattern should be negated for all scripts (see routes docs). You can now reserve a pattern or temporarily disable a Worker on a route without deleting the route definition itself.
primary_location_hint in the
cloudflare_d1_database ↗ resource will no longer always try to recreate. You can now safely change the location hint for a D1 database without causing a destructive operation.
We've also properly documented the Workers Script And Version Settings in our public OpenAPI spec and SDKs.
Gateway will now evaluate Network (Layer 4) policies before HTTP (Layer 7) policies. This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.
This change will roll out progressively between July 14–18, 2025. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.
Previous order:
New order:
This change may affect block notifications. For example:
example.com and display a block page.
example.com silently (no client notification).
With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page.
To ensure users still receive a block notification, you can:
This update is based on user feedback and aims to:
To learn more, visit the Gateway order of enforcement documentation.
Log Explorer is now GA, providing native observability and forensics for traffic flowing through Cloudflare.
Search and analyze your logs, natively in the Cloudflare dashboard. These logs are also stored in Cloudflare's network, eliminating many of the costs associated with other log providers.
With Log Explorer, you can now:
For help getting started, refer to our documentation.
Today we announced the public beta ↗ of remote bindings for local development. With remote bindings, you can now connect to deployed resources like R2 buckets and D1 databases while running Worker code on your local machine. This means you can test your local code changes against real data and services, without the overhead of deploying for each iteration.
To enable remote mode, add
"experimental_remote" : true to each binding that you want to rely on a remote resource running on Cloudflare:
When remote bindings are configured, your Worker still executes locally, but all binding calls are proxied to the deployed resource that runs on Cloudflare's network.
You can try out remote bindings for local development today with:
wrangler dev --x-remote-bindings command.
Have feedback? Join the discussion in our beta announcement ↗ to share feedback or report any issues.
A new Beta release for the Windows WARP client is now available on the beta releases downloads page.
This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1.
Changes and improvements
Known issues
Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July.
Devices with
KB5055523 installed may receive a warning about
Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
A new Beta release for the macOS WARP client is now available on the beta releases downloads page.
This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1.
Changes and improvements
Known issues
Earlier this year, we announced the launch of the new Terraform v5 Provider. Unlike the earlier Terraform providers, v5 is automatically generated based on the OpenAPI Schemas for our REST APIs. Since launch, we have seen an unexpectedly high number of issues ↗ reported by customers. These issues currently impact about 15% of resources. We have been working diligently to address these issues across the company, and have released the v5.6.0 release which includes a number of bug fixes. Please keep an eye on this changelog for more information about upcoming releases.
cloudflare_zero_trust_access_identity_provider
cloudflare_zone
cloudflare_page_rules runtime panic when setting
cache_level to
cache_ttl_by_status
cloudflare_zero_trust_tunnel_cloudflared_config
zone_lockdown resource
cloudflare_zero_trust_device_default_profile_local_domain_fallback and
cloudflare_account_subscription
cloudflare_schema_validation_operation_settings
cloudflare_schema_validation_schemas
cloudflare_schema_validation_settings
cloudflare_zero_trust_device_settings
For a more detailed look at all of the changes, see the changelog ↗ in GitHub.
If you have an unaddressed issue with the provider, we encourage you to check the open issues ↗ and open a new one if one does not already exist for what you are experiencing.
If you are evaluating a move from v4 to v5, please make use of the
migration guide ↗. We have
provided automated migration scripts using Grit which simplify the transition, although these do not support implementations which
use Terraform modules, so customers making use of modules need to migrate manually. Please make use of
terraform plan to test
your changes before applying, and let us know if you encounter any additional issues by reporting to our
GitHub repository ↗.
For those building Single Page Applications (SPAs) on Workers, you can now explicitly define which routes invoke your Worker script in Wrangler configuration. The
run_worker_first config option has now been expanded to accept an array of route patterns, allowing you to more granularly specify when your Worker script runs.
Configuration example:
This new routing control was done in partnership with our community and customers who provided great feedback on our public proposal ↗. Thank you to everyone who brought forward use-cases and feedback on the design!
To use advanced routing control with
run_worker_first, you'll need:
Mitigations have been put in place for all existing and future deployments of sites with the Cloudflare adapter for Open Next in response to an identified Server-Side Request Forgery (SSRF) vulnerability in the
@opennextjs/cloudflare package.
The vulnerability stemmed from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed users to proxy arbitrary remote content via the
/_next/image endpoint.
This issue allowed attackers to load remote resources from arbitrary hosts under the victim site's domain for any site deployed using the Cloudflare adapter for Open Next. For example:
https://victim-site.com/_next/image?url=https://attacker.com. In this example, attacker-controlled content from
attacker.com is served through the victim site's domain (
victim-site.com), violating the same-origin policy and potentially misleading users or other services.
References: https://www.cve.org/cverecord?id=CVE-2025-6087 ↗, https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m ↗
The following mitigations have been put in place:
Server side updates to Cloudflare's platform to restrict the content loaded via the
/_next/image endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next
Root cause fix: Pull request #727 ↗ to the Cloudflare adapter for Open Next. The patched version of the adapter has been released as
@opennextjs/cloudflare@1.3.0
Package dependency update: Pull request cloudflare/workers-sdk#9608 ↗ to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare has been published as
create-cloudflare@2.49.3.
In addition to the automatic mitigation deployed on Cloudflare's platform, we encourage affected users to upgrade to
@opennext/cloudflare v1.3.0 and use the
remotePatterns ↗ filter in Next config if they need to allow-list external urls with images assets.
Participating beta testers can now fully configure Internal DNS directly in the Cloudflare dashboard ↗.
Map internal hostnames to private IPs for services, devices, and applications not exposed to the public Internet
Resolve internal DNS queries securely through Cloudflare Gateway
Use split-horizon DNS to return different responses based on network context
Consolidate internal and public DNS zones within a single management platform
To learn more and get started, refer to the Internal DNS documentation.
This week’s roundup highlights multiple critical vulnerabilities across popular web frameworks, plugins, and enterprise platforms. The focus lies on remote code execution (RCE), server-side request forgery (SSRF), and insecure file upload vectors that enable full system compromise or data exfiltration.
Key Findings
Impact
These vulnerabilities span core systems — from routers to e-commerce to email. RCE in Cisco IOS XE, Roundcube, and vBulletin poses full system compromise. SSRF in Axios and CrushFTP supports internal pivoting, while WooCommerce’s file upload bug opens doors to mass WordPress exploitation.
|Ruleset
|Rule ID
|Legacy Rule ID
|Description
|Previous Action
|New Action
|Comments
|Cloudflare Managed Ruleset
|100783
|Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100784
|Axios - SSRF - CVE:CVE-2024-39338
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100785
vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100786
|Invision Community - Remote Code Execution - CVE:CVE-2025-47916
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100791
|CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100792
|Roundcube - Remote Code Execution - CVE:CVE-2025-49113
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100793
|XSS - Ontoggle
|Log
|Disabled
|This is a New Detection
|Cloudflare Managed Ruleset
|100794
WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577
|Log
|Block
|This is a New Detection
You can now grant members of your Cloudflare account read-only access to the Workers Platform.
The new "Workers Platform (Read-only)" role grants read-only access to all products typically used as part of Cloudflare's Developer Platform, including Workers, Pages, Durable Objects, KV, R2, Zones, Zone Analytics and Page Rules. When Cloudflare introduces new products to the Workers platform, we will add additional read-only permissions to this role.
Additionally, the role previously named "Workers Admin" has been renamed to "Workers Platform Admin". This change ensures that the name more accurately reflects the permissions granted — this role has always granted access to more than just Workers — it grants read and write access to the products mentioned above, and similarly, as new products are added to the Workers platform, we will add additional read and write permissions to this role.
You can review the updated roles in the developer docs.
Enterprise customers can now select NSEC3 as method for proof of non-existence on their zones.
What's new:
NSEC3 support for live-signed zones – For both primary and secondary zones that are configured to be live-signed (also known as "on-the-fly signing"), NSEC3 can now be selected as proof of non-existence.
NSEC3 support for pre-signed zones – Secondary zones that are transferred to Cloudflare in a pre-signed setup now also support NSEC3 as proof of non-existence.
For more information and how to enable NSEC3, refer to the NSEC3 documentation.
We have increased the limits for Media Transformations:
Additionally, we have improved caching of the input asset, resulting in fewer requests to origin storage even when transformation options may differ.
For more information, learn about Transforming Videos.
Workers Builds connects your Worker to a Git repository, and automates building and deploying your code on each pushed change.
To make CI/CD pipelines even more flexible, Workers Builds now automatically injects default environment variables into your build process (much like the defaults in Cloudflare Pages projects). You can use these variables to customize your build process based on the deployment context, such as the branch or commit.
The following environment variables are injected by default:
|Environment Variable
|Injected value
|Example use-case
CI
true
|Changing build behavior when run on CI versus locally
WORKERS_CI
1
|Changing build behavior when run on Workers Builds versus locally
WORKERS_CI_BUILD_UUID
<build-uuid-of-current-build>
|Passing the Build UUID along to custom workflows
WORKERS_CI_COMMIT_SHA
<sha1-hash-of-current-commit>
|Passing current commit ID to error reporting, for example, Sentry
WORKERS_CI_BRANCH
<branch-name-from-push-event
|Customizing build based on branch, for example, disabling debug logging on
production
You can override these default values and add your own custom environment variables by navigating to your Worker > Settings > Environment variables.
Learn more in the Build configuration documentation.
Custom Errors can now fetch and store assets and error pages from your origin even if they are served with a 4xx or 5xx HTTP status code — previously, only 200 OK responses were allowed.
What’s new:
This is especially useful for retrieving error content or downtime banners from your backend when you can’t override the origin status code.
Learn more in the Custom Errors documentation.
You can now use the
cf.worker.upstream_zone field in Transform Rules to control rule execution based on whether a request originates from Workers, including subrequests issued by Workers in other zones.
What's new:
cf.worker.upstream_zone is now supported in Transform Rules expressions.
For example, to add a header when the subrequest comes from another zone:
Text in Expression Editor (replace
myappexample.com with your domain):
Selected operation under Modify request header: Set static
Header name:
X-External-Workers-Subrequest
Value:
1
This gives you more granular control in how you handle incoming requests for your zone.
Learn more in the Transform Rules documentation and Rules language fields reference.
This week’s update spotlights four critical vulnerabilities across CMS platforms, VoIP systems, and enterprise applications. Several flaws enable remote code execution or privilege escalation, posing significant enterprise risks.
Key Findings
Impact
These vulnerabilities target widely deployed CMS, ERP, and VoIP systems. RCE flaws in SAP NetWeaver and Camaleon CMS allow full takeover of business-critical applications. Privilege escalation in OttoKit exposes WordPress environments to full administrative compromise. FortiVoice buffer handling issues risk destabilizing or fully compromising enterprise telephony systems.
|Ruleset
|Rule ID
|Legacy Rule ID
|Description
|Previous Action
|New Action
|Comments
|Cloudflare Managed Ruleset
|100769
WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100770
|SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100779
|Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756
|Log
|Block
|This is a New Detection
|Cloudflare Managed Ruleset
|100780
|Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986
|Log
|Block
|This is a New Detection
Workers native integrations were originally launched in May 2023 ↗ to connect to popular database and observability providers with your Worker in just a few clicks. We are changing how developers connect Workers to these external services. The Integrations tab in the dashboard has been removed in favor of a more direct, command-line-based approach using Wrangler secrets.
npx wrangler secret put commands.
Existing integrations will continue to work without any changes required. If you have integrations that were previously created through the dashboard, they will remain functional.
If you'd like to modify your existing integration, you can update the secrets, environment variables, or Tail Workers that were created from the original integration setup.
npx wrangler secret put <SECRET_NAME> to update credential values.
If you have previously set up an observability integration with Sentry ↗, the following environment variables were set and are still modifiable:
BLOCKED_HEADERS: headers to exclude sending to Sentry
EXCEPTION_SAMPLING_RATE: number from 0 - 100, where 0 = no events go through to Sentry, and 100 = all events go through to Sentry
STATUS_CODES_TO_SAMPLING_RATES: a map of status codes -- like 400 or with wildcards like 4xx -- to sampling rates described above
For new connections, refer to our step-by-step guides on connecting to popular database and observability providers including: Sentry, Turso, Neon, Supabase, PlanetScale, Upstash, Xata.
A new Beta release for the Windows WARP client is now available on the beta releases downloads page.
This release contains improvements and new exciting features, including SCCM VPN boundary support and post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.
Changes and improvements
Known issues
Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July.
Devices with
KB5055523 installed may receive a warning about
Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
A new Beta release for the macOS WARP client is now available on the beta releases downloads page.
This release contains improvements and new exciting features, including post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.
Changes and improvements
Known issues
With the release of the Cloudflare adapter for Open Next v1.0.0 in May 2025, we already had followups plans to improve performance and size ↗.
@opennextjs/cloudflare v1.2 released on June 5, 2025 delivers on these enhancements. By removing
babel from the app code and dropping a dependency on
@ampproject/toolbox-optimizer, we were able to reduce generated bundle sizes. Additionally, by stopping preloading of all app routes, we were able to improve the cold start time.
This means that users will now see a decrease from 14 to 8MiB (2.3 to 1.6MiB gzipped) in generated bundle size for a Next app created via create-next-app, and typically 100ms faster startup times for their medium-sized apps.
Users only need to update to the latest version of
@opennextjs/cloudflare to automatically benefit from these improvements.
Note that we published CVE-2005-6087 ↗ for a SSRF vulnerability in the
@opennextjs/cloudflare package.
The vulnerability has been fixed from
@opennextjs/cloudflare v1.3.0 onwards. Please update to any version after this one.