Cloudflare Products
- AI13 releases
- Analytics12 releases
- Application Performance11 releases
- Application Security13 releases
- Cloudflare One14 releases
- Consumer Services6 releases
- Core Platform14 releases
- Developer Platform19 releases
- Docs Collections7 releases
- Media7 releases
- Network Security11 releases
- Storage11 releases
All Cloudflare Release Notes
- Nov 6, 2025
- Parsed from source:Nov 6, 2025
- Detected by Releasebot:Nov 7, 2025
Applications to be remapped to the new categories
New application categories are live to improve content reflection and HTTP traffic management. Remapping of existing apps to the new categories completes by Jan 30, 2026, with guidance to review rules and update policies before the switch. Expect potential traffic changes after the remap.
Applications category remapping and timeline
We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to Changelog. While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026. This timeline allows you a dedicated period to:
- Review the new category structure.
- Identify any policies you have that target the older categories.
- Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition.
Applications being remappedd
[Table of applications and their old and new categories]For more information on creating HTTP policies, refer to Applications and app types.
Original source Report a problem - Nov 5, 2025
- Parsed from source:Nov 5, 2025
- Detected by Releasebot:Nov 6, 2025
Developer Platform by Cloudflare
Announcing Workers VPC Services (Beta)
Cloudflare unveils Workers VPC Services, letting Workers securely reach private networks via Cloudflare Tunnels. It brings multi‑cloud support and familiar binding syntax for internal APIs, databases, and services. Set up with the docs and get started fast.
What's new
Workers VPC Services is now available, enabling your Workers to securely access resources in your private networks, without having to expose them on the public Internet.
- VPC Services: Create secure connections to internal APIs, databases, and services using familiar Worker binding syntax
- Multi-cloud Support: Connect to resources in private networks in any external cloud (AWS, Azure, GCP, etc.) or on-premise using Cloudflare Tunnels
Set up a Cloudflare Tunnel, create a VPC Service, add service bindings to your Worker, and access private resources securely. Refer to the documentation to get started.
Original source Report a problem - Nov 5, 2025
- Parsed from source:Nov 5, 2025
- Detected by Releasebot:Nov 5, 2025
Developer Platform by Cloudflare
Workers VPC Services (Beta)
What's new
- VPC Services: Create secure connections to internal APIs, databases, and services through Cloudflare Tunnel using familiar Worker binding syntax
- Multi-cloud Support: Connect to resources across AWS, Azure, GCP, and on-premise infrastructure
Getting started
Set up a Cloudflare Tunnel, create a VPC Service, add service bindings to your Worker, and access private resources securely. Refer to the documentation to get started.
Original source Report a problem - Nov 5, 2025
- Parsed from source:Nov 5, 2025
- Detected by Releasebot:Nov 6, 2025
Developer Platform by Cloudflare
D1 can restrict data localization with jurisdictions
You can now set a jurisdiction when creating a D1 database to guarantee where your database runs and stores data. Jurisdictions can help you comply with data localization regulations such as GDPR. Supported jurisdictions include eu and fedramp.
A jurisdiction can only be set at database creation time via wrangler, REST API or the UI and cannot be added/updated after the database already exists.
To learn more, visit D1's data location documentation.
Original source Report a problem - Nov 5, 2025
- Parsed from source:Nov 5, 2025
- Detected by Releasebot:Nov 7, 2025
Application Security by Cloudflare
WAF Release - 2025-11-05 - Emergency
Emergency release adds a new detection signature to cover a critical React Native Metro Development Server vulnerability CVE-2025-11953. Unauthenticated requests can trigger remote code execution; patch and restrict network exposure to stay protected. Strengthened defenses help prevent compromise of dev workstations and CI.
This week’s emergency release introduces a new detection signature that enhances coverage for a critical vulnerability in the React Native Metro Development Server, tracked as CVE-2025-11953.
Key Findings
The Metro Development Server exposes an HTTP endpoint that is vulnerable to OS command injection (CWE-78). An unauthenticated network attacker can send a crafted request to this endpoint and execute arbitrary commands on the host running Metro. The vulnerability affects Metro/cli-server-api builds used by React Native Community CLI in pre-patch development releases.
Impact
Successful exploitation of CVE-2025-11953 may result in remote command execution on developer workstations or CI/build agents, leading to credential and secret exposure, source tampering, and potential lateral movement into internal networks. Administrators and developers are strongly advised to apply the vendor's patches and restrict Metro’s network exposure to reduce this risk.
Original source Report a problem - Nov 5, 2025
- Parsed from source:Nov 5, 2025
- Detected by Releasebot:Nov 6, 2025
D1 can restrict data localization with jurisdictions
D1 Jurisdiction Setting
You can now set a jurisdiction when creating a D1 database to guarantee where your database runs and stores data. Jurisdictions can help you comply with data localization regulations such as GDPR. Supported jurisdictions include eu and fedramp.
A jurisdiction can only be set at database creation time via wrangler, REST API or the UI and cannot be added/updated after the database already exists.
To learn more, visit D1's data location documentation.
Original source Report a problem - Nov 5, 2025
- Parsed from source:Nov 5, 2025
- Detected by Releasebot:Nov 6, 2025
Logpush Permission Update for Zero Trust Datasets
Zero Trust Logpush Permissions Update
Permissions for managing Logpush jobs related to Zero Trust datasets (Access, Gateway, and DEX) have been updated to improve data security and enforce appropriate access controls.
To view, create, update, or delete Logpush jobs for Zero Trust datasets, users must now have both of the following permissions:
- Logs Edit
- Zero Trust: PII Read
Note
Update your UI, API or Terraform configurations to include the new permissions. Requests to Zero Trust datasets will fail due to insufficient access without the additional permission.
Original source Report a problem - Nov 3, 2025
- Parsed from source:Nov 3, 2025
- Detected by Releasebot:Oct 28, 2025
- Modified by Releasebot:Nov 4, 2025
Application Security by Cloudflare
WAF Release - 2025-11-03
Security update enhances detection for CVE-2025-54236 in Adobe Commerce and Magento Open Source. New detection logic blocks unauthenticated REST API access and reduces risk of session hijack and remote code execution. Admins should apply patches promptly.
This week highlights enhancements to detection signatures improving coverage for vulnerabilities in Adobe Commerce and Magento Open Source, linked to CVE-2025-54236.
Key Findings
This vulnerability allows unauthenticated attackers to take over customer accounts through the Commerce REST API and, in certain configurations, may lead to remote code execution. The latest update provides enhanced detection logic for resilient protection against exploitation attempts.
Impact
Adobe Commerce (CVE-2025-54236): Exploitation may allow attackers to hijack sessions, execute arbitrary commands, steal data, and disrupt storefronts, resulting in confidentiality and integrity risks for merchants. Administrators are strongly encouraged to apply vendor patches without delay.
This is an improved detection.
Original source Report a problem - November 2025
- No date parsed from source.
- Detected by Releasebot:Nov 4, 2025
Application Security by Cloudflare
WAF Release - Scheduled changes for 2025-11-10
New Prototype Pollution detections added for URI, Body, and Header Form, expanding coverage across requests. An HTTP Truncated Beta detection is introduced and will replace the original action on its ID. Release rollout targets 2025-11-10.
Announcement Date Release Date Release Behavior Legacy Rule ID Rule ID Description Comments 2025-10-27 2025-11-10 Log N/A ...606285e6 Generic Rules - Prototype Pollution - URI This is a new detection 2025-10-27 2025-11-10 Log N/A ...4f59ff26 Generic Rules - Prototype Pollution - Body This is a new detection 2025-10-27 2025-11-10 Log N/A ...7efbeb39 Generic Rules - Prototype Pollution - Header - Form This is a new detection 2025-10-27 2025-11-10 Log N/A ...9029cd61 HTTP Truncated Beta This is a beta detection and will replace the action on original detection (ID: ...c22b51d3) This is a beta detection and will replace the action on original detection (ID: ...c22b51d3) Original source Report a problem - Oct 31, 2025
- Parsed from source:Oct 31, 2025
- Detected by Releasebot:Nov 3, 2025
Workers WebSocket message size limit increased from 1 MiB to 32 MiB
WebSocket message size limit for Workers
Workers, including those using Durable Objects and Browser Rendering, may now process WebSocket messages up to 32 MiB in size. Previously, this limit was 1 MiB.
This change allows Workers to handle use cases requiring large message sizes, such as processing Chrome Devtools Protocol messages.
For more information, please see the Durable Objects startup limits.
Original source Report a problem