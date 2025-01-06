 Skip to content
hero image

  1. WAF Release - 2025-01-06

    WAF
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Specials 100678Pandora FMS - Remote Code Execution - CVE:CVE-2024-11320LogBlockNew Detection
    Cloudflare Specials 100679

    Palo Alto Networks - Remote Code Execution - CVE:CVE-2024-0012, CVE:CVE-2024-9474

    		LogBlockNew Detection
    Cloudflare Specials 100680Ivanti - Command Injection - CVE:CVE-2024-37397LogBlockNew Detection
    Cloudflare Specials 100681Really Simple Security - Auth Bypass - CVE:CVE-2024-10924LogBlockNew Detection
    Cloudflare Specials 100682Magento - XXE - CVE:CVE-2024-34102LogBlockNew Detection
    Cloudflare Specials 100683CyberPanel - Remote Code Execution - CVE:CVE-2024-51567LogBlockNew Detection
    Cloudflare Specials 100684

    Microsoft SharePoint - Remote Code Execution - CVE:CVE-2024-38094, CVE:CVE-2024-38024, CVE:CVE-2024-38023

    		LogBlockNew Detection
    Cloudflare Specials 100685CyberPanel - Remote Code Execution - CVE:CVE-2024-51568LogBlockNew Detection
    Cloudflare Specials 100686Seeyon - Remote Code ExecutionLogBlockNew Detection
    Cloudflare Specials 100687

    WordPress - Remote Code Execution - CVE:CVE-2024-10781, CVE:CVE-2024-10542

    		LogBlockNew Detection
    Cloudflare Specials 100688ProjectSend - Remote Code Execution - CVE:CVE-2024-11680LogBlockNew Detection
    Cloudflare Specials 100689

    Palo Alto GlobalProtect - Remote Code Execution - CVE:CVE-2024-5921

    		LogBlockNew Detection
    Cloudflare Specials 100690Ivanti - Remote Code Execution - CVE:CVE-2024-37404LogBlockNew Detection
    Cloudflare Specials 100691Array Networks - Remote Code Execution - CVE:CVE-2023-28461LogBlockNew Detection
    Cloudflare Specials 100692CyberPanel - Remote Code Execution - CVE:CVE-2024-51378LogBlockNew Detection
    Cloudflare Specials 100693Symfony Profiler - Auth Bypass - CVE:CVE-2024-50340LogBlockNew Detection
    Cloudflare Specials 100694Citrix Virtual Apps - Remote Code Execution - CVE:CVE-2024-8069LogBlockNew Detection
    Cloudflare Specials 100695MSMQ Service - Remote Code Execution - CVE:CVE-2023-21554LogBlockNew Detection
    Cloudflare Specials 100696Nginxui - Remote Code Execution - CVE:CVE-2024-49368LogBlockNew Detection
    Cloudflare Specials 100697

    Apache ShardingSphere - Remote Code Execution - CVE:CVE-2022-22733

    		LogBlockNew Detection
    Cloudflare Specials 100698Mitel MiCollab - Auth Bypass - CVE:CVE-2024-41713LogBlockNew Detection
    Cloudflare Specials 100699Apache Solr - Auth Bypass - CVE:CVE-2024-45216LogBlockNew Detection

  1. AI Gateway adds DeepSeek as a Provider

    AI Gateway

    AI Gateway now supports DeepSeek, including their cutting-edge DeepSeek-V3 model. With this addition, you have even more flexibility to manage and optimize your AI workloads using AI Gateway. Whether you're leveraging DeepSeek or other providers, like OpenAI, Anthropic, or Workers AI, AI Gateway empowers you to:

    • Monitor: Gain actionable insights with analytics and logs.
    • Control: Implement caching, rate limiting, and fallbacks.
    • Optimize: Improve performance with feedback and evaluations.
    AI Gateway adds DeepSeek as a provider

    To get started, simply update the base URL of your DeepSeek API calls to route through AI Gateway. Here's how you can send a request using cURL:

    Example fetch request
    curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/deepseek/chat/completions \
     --header 'content-type: application/json' \
     --header 'Authorization: Bearer DEEPSEEK_TOKEN' \
     --data '{
        "model": "deepseek-chat",
        "messages": [
            {
                "role": "user",
                "content": "What is Cloudflare?"
            }
        ]
    }'

    For detailed setup instructions, see our DeepSeek provider documentation.

  1. Faster Workers Builds with Build Caching and Watch Paths

    Workers
    Build caching settingsBuild watch path settings

    Workers Builds, the integrated CI/CD system for Workers (currently in beta), now lets you cache artifacts across builds, speeding up build jobs by eliminating repeated work, such as downloading dependencies at the start of each build.

    • Build Caching: Cache dependencies and build outputs between builds with a shared project-wide cache, ensuring faster builds for the entire team.

    • Build Watch Paths: Define paths to include or exclude from the build process, ideal for monorepos to target only the files that need to be rebuilt per Workers project.

    To get started, select your Worker on the Cloudflare dashboard then go to Settings > Builds, and connect a GitHub or GitLab repository. Once connected, you'll see options to configure Build Caching and Build Watch Paths.

  1. Escalate user submissions

    Email security

    After you triage your users' submissions (that are machine reviewed), you can now escalate them to our team for reclassification (which are instead human reviewed). User submissions from the submission alias, PhishNet, and our API can all be escalated.

    Escalate

    From Reclassifications, go to User submissions. Select the three dots next to any of the user submissions, then select Escalate to create a team request for reclassification. The Cloudflare dashboard will then show you the submissions on the Team Submissions tab.

    Refer to User submissions to learn more about this feature.

    This feature is available across these Email security packages:

    • Advantage
    • Enterprise
    • Enterprise + PhishGuard

  1. Troubleshoot tunnels with diagnostic logs

    Cloudflare Tunnel

    The latest cloudflared build 2024.12.2 introduces the ability to collect all the diagnostic logs needed to troubleshoot a cloudflared instance.

    A diagnostic report collects data from a single instance of cloudflared running on the local machine and outputs it to a cloudflared-diag file.

    The cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip archive contains the files listed below. The data in a file either applies to the cloudflared instance being diagnosed (diagnosee) or the instance that triggered the diagnosis (diagnoser). For example, if your tunnel is running in a Docker container, the diagnosee is the Docker instance and the diagnoser is the host instance.

    File nameDescriptionInstance
    cli-configuration.jsonTunnel run parameters used when starting the tunneldiagnosee
    cloudflared_logs.txtTunnel log file1diagnosee
    configuration.jsonTunnel configuration parametersdiagnosee
    goroutine.pprofgoroutine profile made available by pprofdiagnosee
    heap.pprofheap profile made available by pprofdiagnosee
    metrics.txtSnapshot of Tunnel metrics at the time of diagnosisdiagnosee
    network.txtJSON traceroutes to Cloudflare's global network using IPv4 and IPv6diagnoser
    raw-network.txtRaw traceroutes to Cloudflare's global network using IPv4 and IPv6diagnoser
    systeminformation.jsonOperating system information and resource usagediagnosee
    task-result.jsonResult of each diagnostic taskdiagnoser
    tunnelstate.jsonTunnel connections at the time of diagnosisdiagnosee

    Footnotes

    1. If the log file is blank, you may need to set --loglevel to debug when you start the tunnel. The --loglevel parameter is only required if you ran the tunnel from the CLI using a cloudflared tunnel run command. It is not necessary if the tunnel runs as a Linux/macOS service or runs in Docker/Kubernetes.

    For more information, refer to Diagnostic logs.

  1. Increased transparency for phishing email submissions

    Email security

    You now have more transparency about team and user submissions for phishing emails through a Reclassification tab in the Zero Trust dashboard.

    Reclassifications happen when users or admins submit a phish to Email security. Cloudflare reviews and - in some cases - reclassifies these emails based on improvements to our machine learning models.

    This new tab increases your visibility into this process, allowing you to view what submissions you have made and what the outcomes of those submissions are.

    Use the Reclassification area to review submitted phishing emails

  1. Improved VPN Managed List

    WAF

    Customers can now effectively manage incoming traffic identified as originating from VPN IPs. Customers with compliance restrictions can now ensure compliance with local laws and regulations. Customers with CDN restrictions can use the improved VPN Managed List to prevent unauthorized access from users attempting to bypass geographical restrictions. With the new VPN Managed List enhancements, customers can improve their overall security posture to reduce exposure to unwanted or malicious traffic.

  1. Establish BGP peering over Direct CNI circuits

    Magic Transit Cloudflare WAN Network Interconnect

    Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.

    Using BGP peering allows customers to:

    • Automate the process of adding or removing networks and subnets.
    • Take advantage of failure detection and session recovery features.

    With this functionality, customers can:

    • Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via CNI.
    • Secure the session by MD5 authentication to prevent misconfigurations.
    • Exchange routes dynamically between their devices and their Magic routing table.

    Refer to Magic WAN BGP peering or Magic Transit BGP peering to learn more about this feature and how to set it up.

  1. Up to 10x faster cached queries for Hyperdrive

    Hyperdrive

    Hyperdrive now caches queries in all Cloudflare locations, decreasing cache hit latency by up to 90%.

    When you make a query to your database and Hyperdrive has cached the query results, Hyperdrive will now return the results from the nearest cache. By caching data closer to your users, the latency for cache hits reduces by up to 90%.

    This reduction in cache hit latency is reflected in a reduction of the session duration for all queries (cached and uncached) from Cloudflare Workers to Hyperdrive, as illustrated below.

    Hyperdrive edge caching improves average session duration for database queries

    P50, P75, and P90 Hyperdrive session latency for all client connection sessions (both cached and uncached queries) for Hyperdrive configurations with caching enabled during the rollout period.

    This performance improvement is applied to all new and existing Hyperdrive configurations that have caching enabled.

    For more details on how Hyperdrive performs query caching, refer to the Hyperdrive documentation.

  1. Terraform Support for Snippets

    Rules

    Now, you can manage Cloudflare Snippets with Terraform. Use infrastructure-as-code to deploy and update Snippet code and rules without manual changes in the dashboard.

    Example Terraform configuration:

    resource "cloudflare_snippet" "my_snippet" {
      zone_id  = "<ZONE_ID>"
      name = "my_test_snippet_1"
      main_module = "file1.js"
      files {
        name = "file1.js"
        content = file("file1.js")
      }
    }
    

    resource "cloudflare_snippet_rules" "cookie_snippet_rule" {
      zone_id  = "<ZONE_ID>"
      rules {
        enabled = true
        expression = "http.cookie eq \"a=b\""
        description = "Trigger snippet on specific cookie"
        snippet_name = "my_test_snippet_1"
      }
      depends_on = [cloudflare_snippet.my_snippet]
    }

    Learn more in the Configure Snippets using Terraform documentation.

  1. Change the order of list items in IP Lists (for API and Terraform users)

    WAF

    Due to changes in the API implementation, the order of list items in an IP list obtained via API or Terraform may change, which may cause Terraform to detect a change in Terraform state. To fix this issue, resync the Terraform state or upgrade the version of your Terraform Cloudflare provider to version 4.44.0 or later.

  1. Generate customized terraform files for building cloud network on-ramps

    Multi-Cloud Networking

    You can now generate customized terraform files for building cloud network on-ramps to Magic WAN.

    Magic Cloud can scan and discover existing network resources and generate the required terraform files to automate cloud resource deployment using their existing infrastructure-as-code workflows for cloud automation.

    You might want to do this to:

    • Review the proposed configuration for an on-ramp before deploying it with Cloudflare.
    • Deploy the on-ramp using your own infrastructure-as-code pipeline instead of deploying it with Cloudflare.

    For more details, refer to Set up with Terraform.

  1. Find security misconfigurations in your AWS cloud environment

    CASB

    You can now use CASB to find security misconfigurations in your AWS cloud environment using Data Loss Prevention.

    You can also connect your AWS compute account to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration.

    To connect a compute account to your AWS integration:

    1. In Cloudflare One, go to Cloud & SaaS findings > Integrations.
    2. Find and select your AWS integration.
    3. Select Open connection instructions.
    4. Follow the instructions provided to connect a new compute account.
    5. Select Refresh.

  1. Cloud Connector Now Supports R2

    Rules

    Now, you can use Cloud Connector to route traffic to your R2 buckets based on URLs, headers, geolocation, and more.

    Example setup:

    Terminal window
    curl --request PUT \
    "https://api.cloudflare.com/client/v4/zones/{zone_id}/cloud_connector/rules" \
    --header "Authorization: Bearer <API_TOKEN>" \
    --header "Content-Type: application/json" \
    --data '[
      {
        "expression": "http.request.uri.path wildcard \"/images/*\"",
        "provider": "cloudflare_r2",
        "description": "Connect to R2 bucket containing images",
        "parameters": {
          "host": "mybucketcustomdomain.example.com"
        }
      }
    ]'

    Get started using Cloud Connector documentation.

  1. Improved non-English keyboard support

    Browser Isolation

    You can now type in languages that use diacritics (like á or ç) and character-based scripts (such as Chinese, Japanese, and Korean) directly within the remote browser. The isolated browser now properly recognizes non-English keyboard input, eliminating the need to copy and paste content from a local browser or device.

  1. Smart Tiered Cache automatically optimizes R2 caching

    Cache / CDN

    You can now reduce latency and lower R2 egress costs automatically when using Smart Tiered Cache with R2. Cloudflare intelligently selects a tiered data center close to your R2 bucket location, creating an efficient caching topology without additional configuration.

    How it works

    When you enable Smart Tiered Cache for zones using R2 as an origin, Cloudflare automatically:

    1. Identifies your R2 bucket location: Determines the geographical region where your R2 bucket is stored.
    2. Selects an optimal Upper Tier: Chooses a data center close to your bucket as the common Upper Tier cache.
    3. Routes requests efficiently: All cache misses in edge locations route through this Upper Tier before reaching R2.

    Benefits

    • Automatic optimization: No manual configuration required.
    • Lower egress costs: Fewer requests to R2 reduce egress charges.
    • Improved hit ratio: Common Upper Tier increases cache efficiency.
    • Reduced latency: Upper Tier proximity to R2 minimizes fetch times.

    Get started

    To get started, enable Smart Tiered Cache on your zone using R2 as an origin.

  1. Security Events pagination

    WAF

    Fixed an issue with pagination in Security Events' sampled logs where some pages were missing data. Also removed the total count from the events log as these are only sampled logs.

  1. Bypass caching for subrequests made from Cloudflare Workers, with Request.cache

    Workers

    You can now use the cache property of the Request interface to bypass Cloudflare's cache when making subrequests from Cloudflare Workers, by setting its value to no-store.

    index.js
    export default {
      async fetch(req, env, ctx) {
        const request = new Request("https://cloudflare.com", {
          cache: "no-store",
        });
        const response = await fetch(request);
        return response;
      },
    };

    When you set the value to no-store on a subrequest made from a Worker, the Cloudflare Workers runtime will not check whether a match exists in the cache, and not add the response to the cache, even if the response includes directives in the Cache-Control HTTP header that otherwise indicate that the response is cacheable.

    This increases compatibility with NPM packages and JavaScript frameworks that rely on setting the cache property, which is a cross-platform standard part of the Request interface. Previously, if you set the cache property on Request, the Workers runtime threw an exception.

    If you've tried to use @planetscale/database, redis-js, stytch-node, supabase, axiom-js or have seen the error message The cache field on RequestInitializerDict is not implemented in fetch — you should try again, making sure that the Compatibility Date of your Worker is set to on or after 2024-11-11, or the cache_option_enabled compatibility flag is enabled for your Worker.

  1. Use Logpush for Email security user actions

    Email security

    You can now send user action logs for Email security to an endpoint of your choice with Cloudflare Logpush.

    Filter logs matching specific criteria you have set or select from multiple fields you want to send. For all users, we will log the date and time, user ID, IP address, details about the message they accessed, and what actions they took.

    When creating a new Logpush job, remember to select Audit logs as the dataset and filter by:

    • Field: "ResourceType"
    • Operator: "starts with"
    • Value: "email_security".
    Logpush-user-actions

    For more information, refer to Enable user action logs.

    This feature is available across all Email security packages:

    • Enterprise
    • Enterprise + PhishGuard

  1. Stage and test cache configurations safely

    Cache / CDN

    You can now stage and test cache configurations before deploying them to production. Versioned environments let you safely validate cache rules, purge operations, and configuration changes without affecting live traffic.

    How it works

    With versioned environments, you can:

    1. Create staging versions of your cache configuration.
    2. Test cache rules in a non-production environment.
    3. Purge staged content independently from production.
    4. Validate changes before promoting to production.

    This capability integrates with Cloudflare's broader versioning system, allowing you to manage cache configurations alongside other zone settings.

    Benefits

    • Risk-free testing: Validate configuration changes without impacting production.
    • Independent purging: Clear staging cache without affecting live content.
    • Deployment confidence: Catch issues before they reach end users.
    • Team collaboration: Multiple team members can work on different versions.

    Get started

    To get started, refer to the version management documentation.

  1. Shard cache using custom cache key values

    Cache / CDN

    Enterprise customers can now optimize cache hit ratios for content that varies by device, language, or referrer by sharding cache using up to ten values from previously restricted headers with custom cache keys.

    How it works

    When configuring custom cache keys, you can now include values from these headers to create distinct cache entries:

    • accept* headers (for example, accept, accept-encoding, accept-language): Serve different cached versions based on content negotiation.
    • referer header: Cache content differently based on the referring page or site.
    • user-agent header: Maintain separate caches for different browsers, devices, or bots.

    When to use cache sharding

    • Content varies significantly by device type (mobile vs desktop).
    • Different language or encoding preferences require distinct responses.
    • Referrer-specific content optimization is needed.

    Example configuration

    {
      "cache_key": {
        "custom_key": {
          "header": {
            "include": ["accept-language", "user-agent"],
            "check_presence": ["referer"]
          }
        }
      }
    }

    This configuration creates separate cache entries based on the accept-language and user-agent headers, while also considering whether the referer header is present.

    Get started

    To get started, refer to the custom cache keys documentation.

  1. New table in Security Analytics and Security Events

    WAF

    Switched to a new, more responsive table in Security Analytics and Security Events.

  1. Workflows is now in open beta

    Workers Workflows

    Workflows is now in open beta, and available to any developer a free or paid Workers plan.

    Workflows allow you to build multi-step applications that can automatically retry, persist state and run for minutes, hours, days, or weeks. Workflows introduces a programming model that makes it easier to build reliable, long-running tasks, observe as they progress, and programmatically trigger instances based on events across your services.

    Get started

    You can get started with Workflows by following our get started guide and/or using npm create cloudflare to pull down the starter project:

    Terminal window
    npm create cloudflare@latest workflows-starter -- --template "cloudflare/workflows-starter"

    You can open the src/index.ts file, extend it, and use wrangler deploy to deploy your first Workflow. From there, you can:

  1. Simplified UI for URL Rewrites

    Rules

    It’s now easy to create wildcard-based URL Rewrites. No need for complex functions—just define your patterns and go.

    Rules Overview Interface

    What’s improved:

    • Full wildcard support – Create rewrite patterns using intuitive interface.
    • Simplified rule creation – No need for complex functions.

    Try it via creating a Rewrite URL rule in the dashboard.

  1. New fields added to Gateway-related datasets in Cloudflare Logs

    Logs

    Cloudflare has introduced new fields to two Gateway-related datasets in Cloudflare Logs:

    • Gateway HTTP: ApplicationIDs, ApplicationNames, CategoryIDs, CategoryNames, DestinationIPContinentCode, DestinationIPCountryCode, ProxyEndpoint, SourceIPContinentCode, SourceIPCountryCode, VirtualNetworkID, and VirtualNetworkName.

    • Gateway Network: ApplicationIDs, ApplicationNames, DestinationIPContinentCode, DestinationIPCountryCode, ProxyEndpoint, SourceIPContinentCode, SourceIPCountryCode, TransportProtocol, VirtualNetworkID, and VirtualNetworkName.

