  1. WARP client for Windows (version 2025.9.173.1)

    Zero Trust WARP Client

    A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

    This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues.

    Changes and improvements

    • Improvements for Windows multi-user to maintain the Global WARP override state when switching between users.
    • The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
    • Deleting registrations no longer returns an error when succeeding.
    • Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network.

    Known issues

    • For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.

    • Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

    • Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.

    • DNS resolution may be broken when the following conditions are all true:

      • WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
      • A custom DNS server address is configured on the primary network adapter.
      • The custom DNS server address on the primary network adapter is changed while WARP is connected.

      To work around this issue, reconnect the WARP client by toggling off and back on.

  1. WARP client for macOS (version 2025.9.173.1)

    Zero Trust WARP Client

    A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

    This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues.

    Changes and improvements

    • The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
    • Deleting registrations no longer returns an error when succeeding.
    • Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network.

    Known issues

    • macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
    • Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

  1. View and edit Durable Object data in UI with Data Studio (Beta)

    Durable Objects Workers
    Screenshot of Durable Objects Data Studio

    You can now view and write to each Durable Object's storage using a UI editor on the Cloudflare dashboard. Only Durable Objects using SQLite storage can use Data Studio.

    Go to Durable Objects

    Data Studio unlocks easier data access with Durable Objects for prototyping application data models to debugging production storage usage. Before, querying your Durable Objects data required deploying a Worker.

    To access a Durable Object, you can provide an object's unique name or ID generated by Cloudflare. Data Studio requires you to have at least the Workers Platform Admin role, and all queries are captured with audit logging for your security and compliance needs. Queries executed by Data Studio send requests to your remote, deployed objects and incur normal usage billing.

    To learn more, visit the Data Studio documentation. If you have feedback or suggestions for the new Data Studio, please share your experience on Discord

  1. Increased HTTP header size limit to 128 KB

    Cloudflare Fundamentals

    CDN now supports 128 KB request and response headers 🚀

    We're excited to announce a significant increase in the maximum header size supported by Cloudflare's Content Delivery Network (CDN). Cloudflare now supports up to 128 KB for both request and response headers.

    Previously, customers were limited to a total of 32 KB for request or response headers, with a maximum of 16 KB per individual header. Larger headers could cause requests to fail with HTTP 413 (Request Header Fields Too Large) errors.

    What's new?

    • Support for large headers: You can now utilize much larger headers, whether as a single large header up to 128 KB or split over multiple headers.
    • Reduces 413 and 520 HTTP errors: This change drastically reduces the likelihood of customers encountering HTTP 413 errors from large request headers or HTTP 520 errors caused by oversized response headers, improving the overall reliability of your web applications.
    • Enhanced functionality: This is especially beneficial for applications that rely on:
      • A large number of cookies.
      • Large Content-Security-Policy (CSP) response headers.
      • Advanced use cases with Cloudflare Workers that generate large response headers.

    This enhancement improves compatibility with Cloudflare's CDN, enabling more use cases that previously failed due to header size limits.

    To learn more and get started, refer to the Cloudflare Fundamentals documentation.

  1. Monitor Groups for Advanced Health Checking With Load Balancing

    Load Balancing

    Cloudflare Load Balancing now supports Monitor Groups, a powerful new way to combine multiple health monitors into a single, logical group. This allows you to create sophisticated health checks that more accurately reflect the true availability of your applications by assessing multiple services at once.

    With Monitor Groups, you can ensure that all critical components of an application are healthy before sending traffic to an origin pool, enabling smarter failover decisions and greater resilience. This feature is now available via the API for customers with an Enterprise Load Balancing subscription.

    What you can do:

    • Combine Multiple Monitors: Group different health monitors (for example, HTTP, TCP) that check various application components, like a primary API gateway and a specific /login service.
    • Isolate Monitors for Observation: Mark a monitor as "monitoring only" to receive alerts and data without it affecting a pool's health status or traffic steering. This is perfect for testing new checks or observing non-critical dependencies.
    • Improve Steering Intelligence: Latency for Dynamic Steering is automatically averaged across all active monitors in a group, providing a more holistic view of an origin's performance.

    This enhancement is ideal for complex, multi-service applications where the health of one component depends on another. By aggregating health signals, Monitor Groups provide a more accurate and comprehensive assessment of your application's true status.

    For detailed information and API configuration guides, please visit our developer documentation for Monitor Groups.

  1. Enhanced AI Crawl Control metrics with new drilldowns and filters

    AI Crawl Control

    AI Crawl Control now provides enhanced metrics and CSV data exports to help you better understand AI crawler activity across your sites.

    What's new

    Track crawler requests over time

    Visualize crawler activity patterns over time, and group data by different dimensions:

    • By Crawler — Track activity from individual AI crawlers (GPTBot, ClaudeBot, Bytespider)
    • By Category — Analyze crawler purpose or type
    • By Operator — Discover which companies (OpenAI, Anthropic, ByteDance) are crawling your site
    • By Host — Break down activity across multiple subdomains
    • By Status Code — Monitor HTTP response codes to crawlers (200s, 300s, 400s, 500s)
    AI Crawl Control requests over time chart with grouping tabs
    Interactive chart showing crawler requests over time with filterable dimensions

    Analyze referrer data (Paid plans)

    Identify traffic sources with referrer analytics:

    • View top referrers driving traffic to your site
    • Understand discovery patterns and content popularity from AI operators
    AI Crawl Control top referrers breakdown
    Bar chart showing top referrers and their respective traffic volumes

    Export data

    Download your filtered view as a CSV:

    • Includes all applied filters and groupings
    • Useful for custom reporting and deeper analysis

    Get started

    1. Log in to the Cloudflare dashboard, and select your account and domain.
    2. Go to AI Crawl Control > Metrics.
    3. Use the grouping tabs to explore different views of your data.
    4. Apply filters to focus on specific crawlers, time ranges, or response codes.
    5. Select Download CSV to export your filtered data for further analysis.

    Learn more about AI Crawl Control.

  1. Single sign-on now manageable in the user experience

    Cloudflare Fundamentals
    Screenshot of new user experience for managing SSO

    During Birthday Week, we announced that single sign-on (SSO) is available for free to everyone who signs in with a custom email domain and maintains a compatible identity provider. SSO minimizes user friction around login and provides the strongest security posture available. At the time, this could only be configured using the API.

    Today, we are launching a new user experience which allows users to manage their SSO configuration from within the Cloudflare dashboard. You can access this by going to Manage account > Members > Settings.

    For more information

  1. WAF Release - 2025-10-13

    WAF

    This week’s highlights include a new JinJava rule targeting a sandbox-bypass flaw that could allow malicious template input to escape execution controls. The rule improves detection for unsafe template rendering paths.

    Key Findings

    New WAF rule deployed for JinJava (CVE-2025-59340) to block a sandbox bypass in the template engine that permits attacker-controlled type construction and arbitrary class instantiation; in vulnerable environments this can escalate to remote code execution and full server compromise.

    Impact

    • CVE-2025-59340 — Exploitation enables attacker-supplied type descriptors / Jackson ObjectMapper abuse, allowing arbitrary class loading, file/URL access (LFI/SSRF primitives) and, with suitable gadget chains, potential remote code execution and system compromise.
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100892JinJava - SSTI - CVE:CVE-2025-59340LogBlockThis is a New Detection

  1. New domain categories added

    Gateway

    We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering.

    New categories added

    Parent IDParent NameCategory IDCategory Name
    26Technology194Keep Awake Software
    26Technology192Remote Access
    26Technology193Shareware/Freeware

    Refer to Gateway domain categories to learn more.

  1. Worker startup time limit increased to 1 second

    Workers

    You can now upload a Worker that takes up 1 second to parse and execute its global scope. Previously, startup time was limited to 400 ms.

    This allows you to run Workers that import more complex packages and execute more code prior to requests being handled.

    For more information, see the documentation on Workers startup limits.

  1. Expanded CT log activity insights on Cloudflare Radar

    Radar

    Radar has expanded its Certificate Transparency (CT) log insights with new stats that provide greater visibility into log activity:

    • Log growth rate: The average throughput of the CT log over the past 7 days, measured in certificates per hour.
    • Included certificate count: The total number of certificates already included in this CT log.
    • Eligible-for-inclusion certificate count: The number of certificates eligible for inclusion in this log but not yet included. This metric is based on certificates signed by trusted root CAs within the log’s accepted date range.
    • Last update: The timestamp of the most recent update to the CT log.

    These new statistics have been added to the response of the Get Certificate Log Details API endpoint, and are displayed on the CT log information page.

    Screenshot of the CT log activity card on the CT log information page

  1. You can now deploy full-stack apps on Workers using Terraform

    Workers

    You can now upload Workers with static assets (like HTML, CSS, JavaScript, images) with the Cloudflare Terraform provider v5.11.0, making it even easier to deploy and manage full-stack apps with IaC.

    Previously, you couldn't use Terraform to upload static assets without writing custom scripts to handle generating an asset manifest, calling the Cloudflare API to upload assets in chunks, and handling change detection.

    Now, you simply define the directory where your assets are built, and we handle the rest. Check out the examples for what this looks like in Terraform configuration.

    You can get started today with the Cloudflare Terraform provider (v5.11.0), using either the existing cloudflare_workers_script resource, or the beta cloudflare_worker_version resource.

    Examples

    With cloudflare_workers_script

    Here's how you can use the existing cloudflare_workers_script resource to upload your Worker code and assets in one shot.

    resource "cloudflare_workers_script" "my_app" {
      account_id  = var.account_id
      script_name = "my-app"
    

      content_file   = "./dist/worker/index.js"
      content_sha256 = filesha256("./dist/worker/index.js")
      main_module    = "index.js"
    

      # Just point to your assets directory - that's it!
      assets = {
        directory = "./dist/static"
      }
    }

    With cloudflare_worker, cloudflare_worker_version, and cloudflare_workers_deployment

    And here's an example using the beta cloudflare_worker_version resource, alongside the cloudflare_worker and cloudflare_workers_deployment resources:

    # This tracks the existence of your Worker, so that you
    # can upload code and assets separately from tracking Worker state.
    

    resource "cloudflare_worker" "my_app" {
      account_id = var.account_id
      name       = "my-app"
    }
    

    resource "cloudflare_worker_version" "my_app_version" {
      account_id = var.account_id
      worker_id  = cloudflare_worker.my_app.id
    

      # Just point to your assets directory - that's it!
      assets = {
        directory = "./dist/static"
      }
    

      modules = [{
        name         = "index.js"
        content_file = "./dist/worker/index.js"
        content_type = "application/javascript+module"
      }]
    }
    

    resource "cloudflare_workers_deployment" "my_app_deployment" {
      account_id  = var.account_id
      script_name = cloudflare_worker.my_app.name
    

      strategy = "percentage"
      versions = [{
        version_id = cloudflare_worker_version.my_app_version.id
        percentage = 100
      }]
    }

    What's changed

    Under the hood, the Cloudflare Terraform provider now handles the same logic that Wrangler uses for static asset uploads. This includes scanning your assets directory, computing hashes for each file, generating a manifest with file metadata, and calling the Cloudflare API to upload any missing files in chunks. We support large directories with parallel uploads and chunking, and when the asset manifest hash changes, we detect what's changed and trigger an upload for only those changed files.

    Try it out

  1. You can now deploy and manage Workflows in Terraform

    Workers

    You can now create and manage Workflows using Terraform, now supported in the Cloudflare Terraform provider v5.11.0. Workflows allow you to build durable, multi-step applications -- without needing to worry about retrying failed tasks or managing infrastructure.

    Now, you can deploy and manage Workflows through Terraform using the new cloudflare_workflow resource:

    resource "cloudflare_workflow" "my_workflow" {
      account_id    = var.account_id
      workflow_name = "my-workflow"
      class_name    = "MyWorkflow"
      script_name   = "my-worker"
    }

    Examples

    Here are full examples of how to configure cloudflare_workflow in Terraform, using the existing cloudflare_workers_script resource, and the beta cloudflare_worker_version resource.

    With cloudflare_workflow and cloudflare_workers_script

    resource "cloudflare_workers_script" "workflow_worker" {
      account_id  = var.cloudflare_account_id
      script_name = "my-workflow-worker"
    

      content_file   = "${path.module}/../dist/worker/index.js"
      content_sha256 = filesha256("${path.module}/../dist/worker/index.js")
      main_module    = "index.js"
    }
    

    resource "cloudflare_workflow" "workflow" {
      account_id    = var.cloudflare_account_id
      workflow_name = "my-workflow"
      class_name    = "MyWorkflow"
      script_name   = cloudflare_workers_script.workflow_worker.script_name
    }

    With cloudflare_workflow, and the new beta resources

    You can more granularly control the lifecycle of each Worker resource using the beta cloudflare_worker_version resource, alongside the cloudflare_worker and cloudflare_workers_deployment resources.

    resource "cloudflare_worker" "workflow_worker" {
      account_id = var.cloudflare_account_id
      name       = "my-workflow-worker"
    }
    

    resource "cloudflare_worker_version" "workflow_worker_version" {
      account_id = var.cloudflare_account_id
      worker_id  = cloudflare_worker.workflow_worker.id
    

      main_module         = "index.js"
    

      modules = [{
        name         = "index.js"
        content_file = "${path.module}/../dist/worker/index.js"
        content_type = "application/javascript+module"
      }]
    }
    

    resource "cloudflare_workers_deployment" "workflow_deployment" {
      account_id  = var.cloudflare_account_id
      script_name = cloudflare_worker.workflow_worker.name
    

      strategy = "percentage"
      versions = [{
        version_id = cloudflare_worker_version.workflow_worker_version.id
        percentage = 100
      }]
    }
    

    resource "cloudflare_workflow" "my_workflow" {
      account_id    = var.cloudflare_account_id
      workflow_name = "my-workflow"
      class_name    = "MyWorkflow"
      script_name   = cloudflare_worker.workflow_worker.name
    }

    Try it out

  1. WARP client for Linux (version 2025.8.779.0)

    Zero Trust WARP Client

    A new GA release for the Linux WARP client is now available on the stable releases downloads page.

    This release contains significant fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

    Changes and improvements

    • Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.

    • The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

    Known issues

    • Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

  1. WARP client for Windows (version 2025.8.779.0)

    Zero Trust WARP Client

    A new GA release for the Windows WARP client is now available on the stable releases downloads page.

    This release contains significant fixes and improvements.

    Changes and improvements

    • Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.

    • The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

    Known issues

    • For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.

    • Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

    • Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.

    • DNS resolution may be broken when the following conditions are all true:

      • WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
      • A custom DNS server address is configured on the primary network adapter.
      • The custom DNS server address on the primary network adapter is changed while WARP is connected.

      To work around this issue, reconnect the WARP client by toggling off and back on.

  1. WARP client for macOS (version 2025.8.779.0)

    Zero Trust WARP Client

    A new GA release for the macOS WARP client is now available on the stable releases downloads page.

    This release contains significant fixes and improvements.

    Changes and improvements

    • Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.

    • The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

    Known issues

    • macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

    • Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

  1. Automated reminders for backup codes

    Cloudflare Fundamentals

    The most common reason users contact Cloudflare support is lost two-factor authentication (2FA) credentials. Cloudflare supports both app-based and hardware keys for 2FA, but you could lose access to your account if you lose these. Over the past few weeks, we have been rolling out email and in-product reminders that remind you to also download backup codes (sometimes called recovery keys) that can get you back into your account in the event you lose your 2FA credentials. Download your backup codes now by logging into Cloudflare, then navigating to Profile > Security & Authentication > Backup codes.

    Sign-in security best practices

    Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account.

    • Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
    • Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked
    • Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
    • If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
    • If you use a custom email domain to sign in, configure SSO.
    • If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
    • If you manage a Cloudflare account for work:
      • Have at least two administrators in case one of them unexpectedly leaves your company
      • Use SCIM to automate permissions management for members in your Cloudflare account

  1. WAF Release - 2025-10-07 - Emergency

    WAF

    This week highlights multiple critical Cisco vulnerabilities (CVE-2025-20363, CVE-2025-20333, CVE-2025-20362). This flaw stems from improper input validation in HTTP(S) requests. An authenticated VPN user could send crafted requests to execute code as root, potentially compromising the device. The initial two rules were made available on September 28, with a third rule added today, October 7, for more robust protection.

    • Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Multiple vulnerabilities that could allow attackers to exploit unsafe deserialization and input validation flaws. Successful exploitation may result in arbitrary code execution, privilege escalation, or command injection on affected systems.

    Impact

    Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection. Administrators are strongly advised to apply vendor updates immediately.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100788BCisco Secure Firewall Adaptive Security Appliance - Remote Code Execution - CVE:CVE-2025-20333, CVE:CVE-2025-20362, CVE:CVE-2025-20363N/ABlockThis is a New Detection

  1. New Overview Page for Cloudflare Workers

    Workers
    Screenshot of the Workers overview page in the Cloudflare dashboard

    Each of your Workers now has a new overview page in the Cloudflare dashboard.

    The goal is to make it easier to understand your Worker without digging through multiple tabs. Think of it as a new home base, a place to get a high-level overview on what's going on.

    It's the first place you land when you open a Worker in the dashboard, and it gives you an immediate view of what’s going on. You can see requests, errors, and CPU time at a glance. You can view and add bindings, and see recent versions of your app, including who published them.

    Navigation is also simpler, with visually distinct tabs at the top of the page. At the bottom right you'll find guided steps for what to do next that are based on the state of your Worker, such as adding a binding or connecting a custom domain.

    We plan to add more here over time. Better insights, more controls, and ways to manage your Worker from one page.

    If you have feedback or suggestions for the new Overview page or your Cloudflare Workers experience in general, we'd love to hear from you. Join the Cloudflare developer community on Discord.

  1. R2 Data Catalog table-level compaction

    R2

    You can now enable compaction for individual Apache Iceberg tables in R2 Data Catalog, giving you fine-grained control over different workloads.

    Terminal window
    # Enable compaction for a specific table (no token required)
    npx wrangler r2 bucket catalog compaction enable <BUCKET> <NAMESPACE> <TABLE> --target-size 256

    This allows you to:

    • Apply different target file sizes per table
    • Disable compaction for specific tables
    • Optimize based on table-specific access patterns

    Learn more at Manage catalogs.

  1. Browser Support Detection for PQ Encryption on Cloudflare Radar

    Radar

    Radar now includes browser detection for Post-quantum (PQ) encryption. The Post-quantum encryption card now checks whether a user’s browser supports post-quantum encryption. If support is detected, information about the key agreement in use is displayed.

    Screenshot of the PQ encryption browser support test on the Adoption & Usage page

  1. WAF Release - 2025-10-06

    WAF

    This week’s highlights prioritise an emergency Oracle E-Business Suite RCE rule deployed to block active, high-impact exploitation. Also addressed are high-severity Chaos Mesh controller command-injection flaws that enable unauthenticated in-cluster RCE and potential cluster compromise, plus a form-data multipart boundary issue that permits HTTP Parameter Pollution (HPP). Two new generic SQLi detections were added to catch inline-comment obfuscation and information disclosure techniques.

    Key Findings

    • New emergency rule released for Oracle E-Business Suite (CVE-2025-61882) addressing an actively exploited remote code execution vulnerability in core business application modules. Immediate mitigation deployed to protect enterprise workloads.

    • Chaos Mesh (CVE-2025-59358,CVE-2025-59359,CVE-2025-59360,CVE-2025-59361): A GraphQL debug endpoint on the Chaos Controller Manager is exposed without authentication; several controller mutations (cleanTcs, killProcesses, cleanIptables) are vulnerable to OS command injection.

    • Form-Data (CVE-2025-7783): Attackers who can observe Math.random() outputs and control request fields in form-data may exploit this flaw to perform HTTP parameter pollution, leading to request tampering or data manipulation.

    • Two new generic SQLi detections added to enhance baseline coverage against inline-comment obfuscation and information disclosure attempts.

    Impact

    • CVE-2025-61882 — Oracle E-Business Suite remote code execution (emergency detection): attacker-controlled input can yield full system compromise, data exfiltration, and operational outage; immediate blocking enforced.

    • CVE-2025-59358 / CVE-2025-59359 / CVE-2025-59360 / CVE-2025-59361 — Unauthenticated command-injection in Chaos Mesh controllers allowing remote code execution, cluster compromise, and service disruption (high availability risk).

    • CVE-2025-7783 — Predictable multipart boundaries in form-data enabling HTTP Parameter Pollution; results include request tampering, parameter overwrite, and downstream data integrity loss.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100882Chaos Mesh - Missing Authentication - CVE:CVE-2025-59358LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100883Chaos Mesh - Command Injection - CVE:CVE-2025-59359LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100884Chaos Mesh - Command Injection - CVE:CVE-2025-59361LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100886Form-Data - Parameter Pollution - CVE:CVE-2025-7783LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100888Chaos Mesh - Command Injection - CVE:CVE-2025-59360LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100916Oracle E-Business Suite - Remote Code Execution - CVE:CVE-2025-61882N/ABlockThis is a New Detection
    Cloudflare Managed Ruleset 100917Generic Rules - SQLi - Inline Comment InjectionN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100918Generic Rules - SQLi - Information DisclosureN/ADisabledThis is a New Detection

  1. WAF Release - 2025-10-03

    WAF

    Managed Ruleset Updated

    This update introduces 21 new detections in the Cloudflare Managed Ruleset (all currently set to Disabled mode to preserve remediation logic and allow quick activation if needed). The rules cover a broad spectrum of threats - SQL injection techniques, command and code injection, information disclosure of common files, URL anomalies, and cross-site scripting.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100902Generic Rules - Command Execution - 2N/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100908Generic Rules - Command Execution - 3N/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100910Generic Rules - Command Execution - 4N/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100915Generic Rules - Command Execution - 5N/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100899Generic Rules - Content-Type AbuseN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100914Generic Rules - Content-Type InjectionN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100911Generic Rules - Cookie Header InjectionN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100905Generic Rules - NoSQL InjectionN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100913Generic Rules - NoSQL Injection - 2N/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100907Generic Rules - Parameter PollutionN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100906Generic Rules - PHP Object InjectionN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100904Generic Rules - Prototype PollutionN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100897Generic Rules - Prototype Pollution 2N/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100903Generic Rules - Reverse ShellN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100909Generic Rules - Reverse Shell - 2N/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100898Generic Rules - SSJI NoSQLN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100896Generic Rules - SSRFN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100895Generic Rules - Template InjectionN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100895AGeneric Rules - Template Injection - 2N/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100912Generic Rules - XXEN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100900Relative Paths - Anomaly HeadersN/ADisabledThis is a New Detection

  1. One-click Cloudflare Access for Workers

    Workers

    You can now enable Cloudflare Access for your workers.dev and Preview URLs in a single click.

    Screenshot of the Enable/Disable Cloudflare Access button on the workers.dev route settings page

    Access allows you to limit access to your Workers to specific users or groups. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your Access policy.

    To enable Cloudflare Access:

    1. In the Cloudflare dashboard, go to the Workers & Pages page.

      Go to Workers & Pages

    2. In Overview, select your Worker.

    3. Go to Settings > Domains & Routes.

    4. For workers.dev or Preview URLs, click Enable Cloudflare Access.

    5. Optionally, to configure the Access application, click Manage Cloudflare Access. There, you can change the email addresses you want to authorize. View Access policies to learn about configuring alternate rules.

    To fully secure your application, it is important that you validate the JWT that Cloudflare Access adds to the Cf-Access-Jwt-Assertion header on the incoming request.

    The following code will validate the JWT using the jose NPM package:

    JavaScript
    import { jwtVerify, createRemoteJWKSet } from "jose";
    

    export default {
      async fetch(request, env, ctx) {
        // Verify the POLICY_AUD environment variable is set
        if (!env.POLICY_AUD) {
          return new Response("Missing required audience", {
            status: 403,
            headers: { "Content-Type": "text/plain" },
          });
        }
    

        // Get the JWT from the request headers
        const token = request.headers.get("cf-access-jwt-assertion");
    

        // Check if token exists
        if (!token) {
          return new Response("Missing required CF Access JWT", {
            status: 403,
            headers: { "Content-Type": "text/plain" },
          });
        }
    

        try {
          // Create JWKS from your team domain
          const JWKS = createRemoteJWKSet(
            new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`),
          );
    

          // Verify the JWT
          const { payload } = await jwtVerify(token, JWKS, {
            issuer: env.TEAM_DOMAIN,
            audience: env.POLICY_AUD,
          });
    

          // Token is valid, proceed with your application logic
          return new Response(`Hello ${payload.email || "authenticated user"}!`, {
            headers: { "Content-Type": "text/plain" },
          });
        } catch (error) {
          // Token verification failed
          return new Response(`Invalid token: ${error.message}`, {
            status: 403,
            headers: { "Content-Type": "text/plain" },
          });
        }
      },
    };

    Required environment variables

    Add these environment variables to your Worker:

    • POLICY_AUD: Your application's AUD tag
    • TEAM_DOMAIN: https://<your-team-name>.cloudflareaccess.com

    Both of these appear in the modal that appears when you enable Cloudflare Access.

    You can set these variables by adding them to your Worker's Wrangler configuration file, or via the Cloudflare dashboard under Workers & Pages > your-worker > Settings > Environment Variables.

  1. Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta

    Cloudflare Fundamentals

    Fine-grained permissions for Access Applications, Identity Providers (IdPs), and Targets is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.

    What's New

    Updated Permissions Policy UX

    For more info:

