Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS View RSS feeds
Application security
hero image

  1. Increased IP List Limits for Enterprise Accounts

    WAF

    We have significantly increased the limits for IP Lists on Enterprise plans to provide greater flexibility and control:

    • Total number of lists: Increased from 10 to 1,000.
    • Total number of list items: Increased from 10,000 to 500,000.

    Limits for other list types and plans remain unchanged. For more details, refer to the lists availability.

  1. WAF Release - 2025-07-07

    WAF

    This week’s roundup uncovers critical vulnerabilities affecting enterprise VoIP systems, webmail platforms, and a popular JavaScript framework. The risks range from authentication bypass to remote code execution (RCE) and buffer handling flaws, each offering attackers a path to elevate access or fully compromise systems.

    Key Findings

    • Next.js - Auth Bypass: A newly detected authentication bypass flaw in the Next.js framework allows attackers to access protected routes or APIs without proper authorization, undermining application access controls.
    • Fortinet FortiVoice (CVE-2025-32756): A buffer error vulnerability in FortiVoice systems that could lead to memory corruption and potential code execution or service disruption in enterprise telephony environments.
    • Roundcube (CVE-2025-49113): A critical RCE flaw allowing unauthenticated attackers to execute arbitrary PHP code via crafted requests, leading to full compromise of mail servers and user inboxes.

    Impact

    These vulnerabilities affect core business infrastructure, from web interfaces to voice communications and email platforms. The Roundcube RCE and FortiVoice buffer flaw offer potential for deep system access, while the Next.js auth bypass undermines trust boundaries in modern web apps.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100795Next.js - Auth BypassLogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100796Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100797Roundcube - Remote Code Execution - CVE:CVE-2025-49113LogDisabledThis is a New Detection

  1. WAF Release - 2025-06-16

    WAF

    This week’s roundup highlights multiple critical vulnerabilities across popular web frameworks, plugins, and enterprise platforms. The focus lies on remote code execution (RCE), server-side request forgery (SSRF), and insecure file upload vectors that enable full system compromise or data exfiltration.

    Key Findings

    • Cisco IOS XE (CVE-2025-20188): Critical RCE vulnerability enabling unauthenticated attackers to execute arbitrary commands on network infrastructure devices, risking total router compromise.
    • Axios (CVE-2024-39338): SSRF flaw impacting server-side request control, allowing attackers to manipulate internal service requests when misconfigured with unsanitized user input.
    • vBulletin (CVE-2025-48827, CVE-2025-48828): Two high-impact RCE flaws enabling attackers to remotely execute PHP code, compromising forum installations and underlying web servers.
    • Invision Community (CVE-2025-47916): A critical RCE vulnerability allowing authenticated attackers to run arbitrary code in community platforms, threatening data and lateral movement risk.
    • CrushFTP (CVE-2025-32102, CVE-2025-32103): SSRF vulnerabilities in upload endpoint processing permit attackers to pivot internal network scans and abuse internal services.
    • Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email — particularly dangerous for webmail deployments.
    • WooCommerce WordPress Plugin (CVE-2025-47577): Dangerous file upload vulnerability permits unauthenticated users to upload executable payloads, leading to full WordPress site takeover.
    • Cross-Site Scripting (XSS) Detection Improvements: Enhanced detection patterns.

    Impact

    These vulnerabilities span core systems — from routers to e-commerce to email. RCE in Cisco IOS XE, Roundcube, and vBulletin poses full system compromise. SSRF in Axios and CrushFTP supports internal pivoting, while WooCommerce’s file upload bug opens doors to mass WordPress exploitation.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100783Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100784Axios - SSRF - CVE:CVE-2024-39338LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100785

    vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828

    		LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100786Invision Community - Remote Code Execution - CVE:CVE-2025-47916LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100791CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100792Roundcube - Remote Code Execution - CVE:CVE-2025-49113LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100793XSS - OntoggleLogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100794

    WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577

    		LogBlockThis is a New Detection

  1. More flexible fallback handling — Custom Errors now support fetching assets returned with 4xx or 5xx status codes

    Rules

    Custom Errors can now fetch and store assets and error pages from your origin even if they are served with a 4xx or 5xx HTTP status code — previously, only 200 OK responses were allowed.

    What’s new:

    • You can now upload error pages and error assets that return error status codes (for example, 403, 500, 502, 503, 504) when fetched.
    • These assets are stored and minified at the edge, so they can be reused across multiple Custom Error rules without triggering requests to the origin.

    This is especially useful for retrieving error content or downtime banners from your backend when you can’t override the origin status code.

    Learn more in the Custom Errors documentation.

  1. Match Workers subrequests by upstream zone — cf.worker.upstream_zone now supported in Transform Rules

    Rules

    You can now use the cf.worker.upstream_zone field in Transform Rules to control rule execution based on whether a request originates from Workers, including subrequests issued by Workers in other zones.

    Match Workers subrequests by upstream zone in Transform Rules

    What's new:

    • cf.worker.upstream_zone is now supported in Transform Rules expressions.
    • Skip or apply logic conditionally when handling Workers subrequests.

    For example, to add a header when the subrequest comes from another zone:

    Text in Expression Editor (replace myappexample.com with your domain):

    (cf.worker.upstream_zone != "" and cf.worker.upstream_zone != "myappexample.com")

    Selected operation under Modify request header: Set static

    Header name: X-External-Workers-Subrequest

    Value: 1

    This gives you more granular control in how you handle incoming requests for your zone.

    Learn more in the Transform Rules documentation and Rules language fields reference.

  1. WAF Release - 2025-06-09

    WAF

    This week’s update spotlights four critical vulnerabilities across CMS platforms, VoIP systems, and enterprise applications. Several flaws enable remote code execution or privilege escalation, posing significant enterprise risks.

    Key Findings

    • WordPress OttoKit Plugin (CVE-2025-27007): Privilege escalation flaw allows unauthenticated attackers to create or elevate user accounts, compromising WordPress administrative control.
    • SAP NetWeaver (CVE-2025-42999): Remote Code Execution vulnerability enables attackers to execute arbitrary code on SAP NetWeaver systems, threatening core ERP and business operations.
    • Fortinet FortiVoice (CVE-2025-32756): Buffer error vulnerability may lead to memory corruption and potential code execution, directly impacting enterprise VoIP infrastructure.
    • Camaleon CMS (CVE-2024-46986): Remote Code Execution vulnerability allows attackers to gain full control over Camaleon CMS installations, exposing hosted content and underlying servers.

    Impact

    These vulnerabilities target widely deployed CMS, ERP, and VoIP systems. RCE flaws in SAP NetWeaver and Camaleon CMS allow full takeover of business-critical applications. Privilege escalation in OttoKit exposes WordPress environments to full administrative compromise. FortiVoice buffer handling issues risk destabilizing or fully compromising enterprise telephony systems.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100769

    WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007

    		LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100770SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100779Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100780Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986LogBlockThis is a New Detection

  1. WAF Release - 2025-06-02

    WAF

    This week’s roundup highlights five high-risk vulnerabilities affecting SD-WAN, load balancers, and AI platforms. Several flaws enable unauthenticated remote code execution or authentication bypass.

    Key Findings

    • Versa Concerto SD-WAN (CVE-2025-34026, CVE-2025-34027): Authentication bypass vulnerabilities allow attackers to gain unauthorized access to SD-WAN management interfaces, compromising network segmentation and control.
    • Kemp LoadMaster (CVE-2024-7591): Remote Code Execution vulnerability enables attackers to execute arbitrary commands, potentially leading to full device compromise within enterprise load balancing environments.
    • AnythingLLM (CVE-2024-0759): Server-Side Request Forgery (SSRF) flaw allows external attackers to force the LLM backend to make unauthorized internal network requests, potentially exposing sensitive internal resources.
    • Anyscale Ray (CVE-2023-48022): Remote Code Execution vulnerability affecting distributed AI workloads, allowing attackers to execute arbitrary code on Ray cluster nodes.
    • Server-Side Request Forgery (SSRF) - Generic & Obfuscated Payloads: Ongoing advancements in SSRF payload techniques observed, including obfuscation and expanded targeting of cloud metadata services and internal IP ranges.

    Impact

    These vulnerabilities expose critical infrastructure across networking, AI platforms, and SaaS integrations. Unauthenticated RCE and auth bypass flaws in Versa Concerto, Kemp LoadMaster, and Anyscale Ray allow full system compromise. AnythingLLM and SSRF payload variants expand attack surfaces into internal cloud resources, sensitive APIs, and metadata services, increasing risk of privilege escalation, data theft, and persistent access.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100764Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34027LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100765Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34026LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100766Kemp LoadMaster - Remote Code Execution - CVE:CVE-2024-7591LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100767AnythingLLM - SSRF - CVE:CVE-2024-0759LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100768Anyscale Ray - Remote Code Execution - CVE:CVE-2023-48022LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100781SSRF - Generic PayloadsN/ADisabledThis is a New Detection
    Cloudflare Managed Ruleset 100782SSRF - Obfuscated PayloadsN/ADisabledThis is a New Detection

  1. Fine-tune image optimization — WebP now supported in Configuration Rules

    Rules

    You can now enable Polish with the webp format directly in Configuration Rules, allowing you to optimize image delivery for specific routes, user agents, or A/B tests — without applying changes zone-wide.

    What’s new:

    • WebP is now a supported value in the Polish setting for Configuration Rules.

    This gives you more precise control over how images are compressed and delivered, whether you're targeting modern browsers, running experiments, or tailoring performance by geography or device type.

    Learn more in the Polish and Configuration Rules documentation.

  1. Updated attack score model

    WAF

    We have deployed an updated attack score model focused on enhancing the detection of multiple false positives (FPs).

    As a result of this improvement, some changes in observed attack scores are expected.

  1. Increased limits for Cloudflare for SaaS and Secrets Store free and Pay-as-you-go plans

    SSL/TLS Cloudflare for SaaS Secrets Store

    With upgraded limits to all free and paid plans, you can now scale more easily with Cloudflare for SaaS and Secrets Store.

    Cloudflare for SaaS allows you to extend the benefits of Cloudflare to your customers via their own custom or vanity domains. Now, the limit for custom hostnames on a Cloudflare for SaaS Pay-as-you-go plan has been raised from 5,000 custom hostnames to 50,000 custom hostnames.

    With custom origin server -- previously an enterprise-only feature -- you can route traffic from one or more custom hostnames somewhere other than your default proxy fallback. Custom origin server is now available to Cloudflare for SaaS customers on Free, Pro, and Business plans.

    You can enable custom origin server on a per-custom hostname basis via the API or the UI:

    Import repo or choose template

    Currently in beta with a Workers integration, Cloudflare Secrets Store allows you to store, manage, and deploy account level secrets from a secure, centralized platform your Cloudflare Workers. Now, you can create and deploy 100 secrets per account. Try it out in the dashboard, with Wrangler, or via the API today.

  1. WAF Release - 2025-05-27

    WAF

    This week’s roundup covers nine vulnerabilities, including six critical RCEs and one dangerous file upload. Affected platforms span cloud services, CI/CD pipelines, CMSs, and enterprise backup systems. Several are now addressed by updated WAF managed rulesets.

    Key Findings

    • Ingress-Nginx (CVE-2025-1098): Unauthenticated RCE via unsafe annotation handling. Impacts Kubernetes clusters.
    • GitHub Actions (CVE-2025-30066): RCE through malicious workflow inputs. Targets CI/CD pipelines.
    • Craft CMS (CVE-2025-32432): Template injection enables unauthenticated RCE. High risk to content-heavy sites.
    • F5 BIG-IP (CVE-2025-31644): RCE via TMUI exploit, allowing full system compromise.
    • AJ-Report (CVE-2024-15077): RCE through untrusted template execution. Affects reporting dashboards.
    • NAKIVO Backup (CVE-2024-48248): RCE via insecure script injection. High-value target for ransomware.
    • SAP NetWeaver (CVE-2025-31324): Dangerous file upload flaw enables remote shell deployment.
    • Ivanti EPMM (CVE-2025-4428, 4427): Auth bypass allows full access to mobile device management.
    • Vercel (CVE-2025-32421): Information leak via misconfigured APIs. Useful for attacker recon.

    Impact

    These vulnerabilities expose critical components across Kubernetes, CI/CD pipelines, and enterprise systems to severe threats including unauthenticated remote code execution, authentication bypass, and information leaks. High-impact flaws in Ingress-Nginx, Craft CMS, F5 BIG-IP, and NAKIVO Backup enable full system compromise, while SAP NetWeaver and AJ-Report allow remote shell deployment and template-based attacks. Ivanti EPMM’s auth bypass further risks unauthorized control over mobile device fleets.

    GitHub Actions and Vercel introduce supply chain and reconnaissance risks, allowing malicious workflow inputs and data exposure that aid in targeted exploitation. Organizations should prioritize immediate patching, enhance monitoring, and deploy updated WAF and IDS signatures to defend against likely active exploitation.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100746Vercel - Information DisclosureLogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100754AJ-Report - Remote Code Execution - CVE:CVE-2024-15077LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100756NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100757Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100759SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100760Craft CMS - Remote Code Execution - CVE:CVE-2025-32432LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100761GitHub Action - Remote Code Execution - CVE:CVE-2025-30066LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100762Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100763F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644LogDisabledThis is a New Detection

  1. WAF Release - 2025-05-19

    WAF

    This week's analysis covers four vulnerabilities, with three rated critical due to their Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of the Cloudflare Managed Ruleset in Block mode.

    Key Findings

    • Commvault Command Center (CVE-2025-34028) exposes an unauthenticated RCE via insecure command injection paths in the web UI. This is critical due to its use in enterprise backup environments.
    • BentoML (CVE-2025-27520) reveals an exploitable vector where serialized payloads in model deployment APIs can lead to arbitrary command execution. This targets modern AI/ML infrastructure.
    • Craft CMS (CVE-2024-56145) allows RCE through template injection in unauthenticated endpoints. It poses a significant risk for content-heavy websites with plugin extensions.
    • Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured mod_proxy behavior. While not RCE, this is useful for pre-attack recon.

    Impact

    These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort.

    Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100745Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100747

    Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028

    		LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100749BentoML - Remote Code Execution - CVE:CVE-2025-27520LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100753Craft CMS - Remote Code Execution - CVE:CVE-2024-56145LogBlockThis is a New Detection

  1. More ways to match — Snippets now support Custom Lists, Bot Score, and WAF Attack Score

    Rules

    You can now use IP, Autonomous System (AS), and Hostname custom lists to route traffic to Snippets and Cloud Connector, giving you greater precision and control over how you match and process requests at the edge.

    In Snippets, you can now also match on Bot Score and WAF Attack Score, unlocking smarter edge logic for everything from request filtering and mitigation to tarpitting and logging.

    What’s new:

    • Custom lists matching – Snippets and Cloud Connector now support user-created IP, AS, and Hostname lists via dashboard or Lists API. Great for shared logic across zones.
    • Bot Score and WAF Attack Score – Use Cloudflare’s intelligent traffic signals to detect bots or attacks and take advanced, tailored actions with just a few lines of code.
    New fields in Snippets

    These enhancements unlock new possibilities for building smarter traffic workflows with minimal code and maximum efficiency.

    Learn more in the Snippets and Cloud Connector documentation.

  1. URL Scanner now supports geo-specific scanning

    Security Center

    Enterprise customers can now choose the geographic location from which a URL scan is performed — either via Security Center in the Cloudflare dashboard or via the URL Scanner API.

    This feature gives security teams greater insight into how a website behaves across different regions, helping uncover targeted, location-specific threats.

    What’s new:

    • Location Picker: Select a location for the scan via Security Center → Investigate in the dashboard or through the API.
    • Region-aware scanning: Understand how content changes by location — useful for detecting regionally tailored attacks.
    • Default behavior: If no location is set, scans default to the user’s current geographic region.

    Learn more in the Security Center documentation.

  1. Improved Payload Logging for WAF Managed Rules

    WAF

    We have upgraded WAF Payload Logging to enhance rule diagnostics and usability:

    • Targeted logging: Logs now capture only the specific portions of requests that triggered WAF rules, rather than entire request segments.
    • Visual highlighting: Matched content is visually highlighted in the UI for faster identification.
    • Enhanced context: Logs now include surrounding context to make diagnostics more effective.
    Log entry showing payload logging details

    Payload Logging is available to all Enterprise customers. If you have not used Payload Logging before, check how you can get started.

    Note: The structure of the encrypted_matched_data field in Logpush has changed from Map<Field, Value> to Map<Field, {Before: bytes, Content: Value, After: bytes}>. If you rely on this field in your Logpush jobs, you should review and update your processing logic accordingly.

  1. WAF Release - 2025-05-05

    WAF

    This week's analysis covers five CVEs with varying impact levels. Four are rated critical, while one is rated high severity. Remote Code Execution vulnerabilities dominate this set.

    Key Findings

    GFI KerioControl (CVE-2024-52875) contains an unauthenticated Remote Code Execution (RCE) vulnerability that targets firewall appliances. This vulnerability can let attackers gain root level system access, making this CVE particularly attractive for threat actors.

    The SonicWall SMA vulnerabilities remain concerning due to their continued exploitation since 2021. These critical vulnerabilities in remote access solutions create dangerous entry points to networks.

    Impact

    Customers using the Managed Ruleset will receive rule coverage following this week's release. Below is a breakdown of the recommended prioritization based on current exploitation trends:

    • GFI KerioControl (CVE-2024-52875) - Highest priority; unauthenticated RCE
    • SonicWall SMA (Multiple vulnerabilities) - Critical for network appliances
    • XWiki (CVE-2025-24893) - High priority for development environments
    • Langflow (CVE-2025-3248) - Important for AI workflow platforms
    • MinIO (CVE-2025-31489) - Important for object storage implementations
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100724GFI KerioControl - Remote Code Execution - CVE:CVE-2024-52875LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100748XWiki - Remote Code Execution - CVE:CVE-2025-24893LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100750

    SonicWall SMA - Dangerous File Upload - CVE:CVE-2021-20040, CVE:CVE-2021-20041, CVE:CVE-2021-20042

    		LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100751Langflow - Remote Code Execution - CVE:CVE-2025-3248LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100752MinIO - Auth Bypass - CVE:CVE-2025-31489LogBlockThis is a New Detection

  1. WAF Release - 2025-04-26 - Emergency

    WAF
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100755

    React.js - Router and Remix Vulnerability - CVE:CVE-2025-43864, CVE:CVE-2025-43865

    		BlockBlockThis is a New Detection

  1. Custom Errors are now Generally Available

    Rules

    Custom Errors are now generally available for all paid plans — bringing a unified and powerful experience for customizing error responses at both the zone and account levels.

    You can now manage Custom Error Rules, Custom Error Assets, and redesigned Error Pages directly from the Cloudflare dashboard. These features let you deliver tailored messaging when errors occur, helping you maintain brand consistency and improve user experience — whether it’s a 404 from your origin or a security challenge from Cloudflare.

    What's new:

    • Custom Errors are now GA – Available on all paid plans and ready for production traffic.
    • UI for Custom Error Rules and Assets – Manage your zone-level rules from the Rules > Overview and your zone-level assets from the Rules > Settings tabs.
    • Define inline content or upload assets – Create custom responses directly in the rule builder, upload new or reuse previously stored assets.
    • Refreshed UI and new name for Error Pages – Formerly known as “Custom Pages,” Error Pages now offer a cleaner, more intuitive experience for both zone and account-level configurations.
    • Powered by Ruleset Engine – Custom Error Rules support conditional logic and override Error Pages for 500 and 1000 class errors, as well as errors originating from your origin or other Cloudflare products. You can also configure Response Header Transform Rules to add, change, or remove HTTP headers from responses returned by Custom Error Rules.

    Learn more in the Custom Errors documentation.

  1. WAF Release - 2025-04-22

    WAF

    Each of this week's rule releases covers a distinct CVE, with half of the rules targeting Remote Code Execution (RCE) attacks. Of the 6 CVEs covered, four were scored as critical, with the other two scored as high.

    When deciding which exploits to tackle, Cloudflare tunes into the attackers' areas of focus. Cloudflare's network intelligence provides a unique lens into attacker activity – for instance, through the volume of blocked requests related with CVE exploits after updating WAF Managed Rules with new detections.

    From this week's releases, one indicator that RCE is a "hot topic" attack type is the fact that the Oracle PeopleSoft RCE rule accounts for half of all of the new rule matches. This rule patches CVE-2023-22047, a high-severity vulnerability in the Oracle PeopleSoft suite that allows unauthenticated attackers to access PeopleSoft Enterprise PeopleTools data through remote code execution. This is particularly concerning because of the nature of the data managed by PeopleSoft – this can include payroll records or student profile information. This CVE, along with five others, are addressed with the latest detection update to WAF Managed Rules.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100738GitLab - Auth Bypass - CVE:CVE-2023-7028LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100740Splunk Enterprise - Remote Code Execution - CVE:CVE-2025-20229LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100741Oracle PeopleSoft - Remote Code Execution - CVE:CVE-2023-22047LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100742CrushFTP - Auth Bypass - CVE:CVE-2025-31161LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100743Ivanti - Buffer Error - CVE:CVE-2025-22457LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100744

    Oracle Access Manager - Remote Code Execution - CVE:CVE-2021-35587

    		LogDisabledThis is a New Detection

  1. WAF Release - 2025-04-14

    WAF
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100739ANext.js - Auth Bypass - CVE:CVE-2025-29927 - 2LogDisabledThis is a New Detection

  1. Cloudflare Snippets are now Generally Available

    Rules
    Cloudflare Snippets are now GA

    Cloudflare Snippets are now generally available at no extra cost across all paid plans — giving you a fast, flexible way to programmatically control HTTP traffic using lightweight JavaScript.

    You can now use Snippets to modify HTTP requests and responses with confidence, reliability, and scale. Snippets are production-ready and deeply integrated with Cloudflare Rules, making them ideal for everything from quick dynamic header rewrites to advanced routing logic.

    What's new:

    • Snippets are now GA – Available at no extra cost on all Pro, Business, and Enterprise plans.

    • Ready for production – Snippets deliver a production-grade experience built for scale.

    • Part of the Cloudflare Rules platform – Snippets inherit request modifications from other Cloudflare products and support sequential execution, allowing you to run multiple Snippets on the same request and apply custom modifications step by step.

    • Trace integration – Use Cloudflare Trace to see which Snippets were triggered on a request — helping you understand traffic flow and debug more effectively.

      Snippets shown in Cloudflare Trace results

    Learn more in the launch blog post.

  1. Cloudflare Secrets Store now available in Beta

    Secrets Store SSL/TLS

    Cloudflare Secrets Store is available today in Beta. You can now store, manage, and deploy account level secrets from a secure, centralized platform to your Workers.

    Import repo or choose template

    To spin up your Cloudflare Secrets Store, simply click the new Secrets Store tab in the dashboard or use this Wrangler command:

    Terminal window
    wrangler secrets-store store create <name> --remote

    The following are supported in the Secrets Store beta:

    • Secrets Store UI & API: create your store & create, duplicate, update, scope, and delete a secret
    • Workers UI: bind a new or existing account level secret to a Worker and deploy in code
    • Wrangler: create your store & create, duplicate, update, scope, and delete a secret
    • Account Management UI & API: assign Secrets Store permissions roles & view audit logs for actions taken in Secrets Store core platform

    For instructions on how to get started, visit our developer documentation.

  1. WAF Release - 2025-04-02

    WAF
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100732Sitecore - Code Injection - CVE:CVE-2025-27218LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100733

    Angular-Base64-Upload - Remote Code Execution - CVE:CVE-2024-42640

    		LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100734Apache Camel - Remote Code Execution - CVE:CVE-2025-29891LogDisabledThis is a New Detection
    Cloudflare Managed Ruleset 100735

    Progress Software WhatsUp Gold - Remote Code Execution - CVE:CVE-2024-4885

    		LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100737Apache Tomcat - Remote Code Execution - CVE:CVE-2025-24813LogBlockThis is a New Detection
    Cloudflare Managed Ruleset 100659Common Payloads for Server-side Template InjectionN/ADisabledN/A
    Cloudflare Managed Ruleset 100659Common Payloads for Server-side Template Injection - Base64N/ADisabledN/A
    Cloudflare Managed Ruleset 100642LDAP InjectionN/ADisabledN/A
    Cloudflare Managed Ruleset 100642LDAP Injection Base64N/ADisabledN/A
    Cloudflare Managed Ruleset 100005

    DotNetNuke - File Inclusion - CVE:CVE-2018-9126, CVE:CVE-2011-1892, CVE:CVE-2022-31474

    		N/ADisabledN/A
    Cloudflare Managed Ruleset 100527Apache Struts - CVE:CVE-2021-31805N/ABlockN/A
    Cloudflare Managed Ruleset 100702Command Injection - CVE:CVE-2022-24108N/ABlockN/A
    Cloudflare Managed Ruleset 100622C

    Ivanti - Command Injection - CVE:CVE-2023-46805, CVE:CVE-2024-21887, CVE:CVE-2024-22024

    		N/ABlockN/A
    Cloudflare Managed Ruleset 100536CGraphQL Command InjectionN/ADisabledN/A
    Cloudflare Managed Ruleset 100536GraphQL InjectionN/ADisabledN/A
    Cloudflare Managed Ruleset 100536AGraphQL IntrospectionN/ADisabledN/A
    Cloudflare Managed Ruleset 100536BGraphQL SSRFN/ADisabledN/A
    Cloudflare Managed Ruleset 100559APrototype Pollution - Common PayloadsN/ADisabledN/A
    Cloudflare Managed Ruleset 100559APrototype Pollution - Common Payloads - Base64N/ADisabledN/A
    Cloudflare Managed Ruleset 100734Apache Camel - Remote Code Execution - CVE:CVE-2025-29891N/ADisabledN/A

  1. WAF Release - 2025-03-22 - Emergency

    WAF
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100739Next.js - Auth Bypass - CVE:CVE-2025-29927N/ADisabledThis is a New Detection

  1. New Managed WAF rule for Next.js CVE-2025-29927.

    Workers Pages WAF

    Update: Mon Mar 24th, 11PM UTC: Next.js has made further changes to address a smaller vulnerability introduced in the patches made to its middleware handling. Users should upgrade to Next.js versions 15.2.4, 14.2.26, 13.5.10 or 12.3.6. If you are unable to immediately upgrade or are running an older version of Next.js, you can enable the WAF rule described in this changelog as a mitigation.

    Update: Mon Mar 24th, 8PM UTC: Next.js has now backported the patch for this vulnerability to cover Next.js v12 and v13. Users on those versions will need to patch to 13.5.9 and 12.3.5 (respectively) to mitigate the vulnerability.

    Update: Sat Mar 22nd, 4PM UTC: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests.

    We strongly recommend updating your version of Next.js (if eligible) to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider.

    This rule is opt-in only for sites on the Pro plan or above in the WAF managed ruleset.

    To enable the rule:

    1. Head to Security > WAF > Managed rules in the Cloudflare dashboard for the zone (website) you want to protect.
    2. Click the three dots next to Cloudflare Managed Ruleset and choose Edit
    3. Scroll down and choose Browse Rules
    4. Search for CVE-2025-29927 (ruleId: 34583778093748cc83ff7b38f472013e)
    5. Change the Status to Enabled and the Action to Block. You can optionally set the rule to Log, to validate potential impact before enabling it. Log will not block requests.
    6. Click Next
    7. Scroll down and choose Save

    This will enable the WAF rule and block requests with the x-middleware-subrequest header regardless of Next.js version.

    Create a WAF rule (manual)

    For users on the Free plan, or who want to define a more specific rule, you can create a Custom WAF rule to block requests with the x-middleware-subrequest header regardless of Next.js version.

    To create a custom rule:

    1. Head to Security > WAF > Custom rules in the Cloudflare dashboard for the zone (website) you want to protect.
    2. Give the rule a name - e.g. next-js-CVE-2025-29927
    3. Set the matching parameters for the rule match any request where the x-middleware-subrequest header exists per the rule expression below.
    Terminal window
    (len(http.request.headers["x-middleware-subrequest"]) > 0)
    1. Set the action to 'block'. If you want to observe the impact before blocking requests, set the action to 'log' (and edit the rule later).
    2. Deploy the rule.
    Next.js CVE-2025-29927 WAF rule

    Next.js CVE-2025-29927

    We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the Next.js authentication bypass vulnerability (CVE-2025-29927) published on March 21st, 2025.

    Note: This rule is not enabled by default as it blocked requests across sites for specific authentication middleware.

    • This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere.
    • This rule has been made available (but not enabled by default) to all sites as part of our WAF Managed Ruleset and blocks requests that attempt to bypass authentication in Next.js applications.
    • The vulnerability affects almost all Next.js versions, and has been fully patched in Next.js 14.2.26 and 15.2.4. Earlier, interim releases did not fully patch this vulnerability.
    • Users on older versions of Next.js (11.1.4 to 13.5.6) did not originally have a patch available, but this the patch for this vulnerability and a subsequent additional patch have been backported to Next.js versions 12.3.6 and 13.5.10 as of Monday, March 24th. Users on Next.js v11 will need to deploy the stated workaround or enable the WAF rule.

    The managed WAF rule mitigates this by blocking external user requests with the x-middleware-subrequest header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation.

Search all changelog entries