Application Security Release Notes

Key Benefits

• Consolidate scan results, including screenshots, security signatures, and metadata, into a single, portable document
• Easily share professional-grade summaries with non-technical stakeholders or legal teams for faster incident response

What’s new

• PDF Export Button: A new download option is available in the URL Scanner results page within the Cloudflare dashboard
• Unified Documentation: Access all scan details—from high-level summaries to specific security flags—in one offline-friendly file

To get started with the URL Scanner and explore our reporting capabilities, visit the URL Scanner API documentation ↗.

The ip.src.metro_code field in the Ruleset Engine is now populated with DMA (Designated Market Area) data.
You can use this field to build rules that target traffic based on geographic market areas, enabling more granular location-based policies for your applications.

Field details

Field | Type | Description
ip.src.metro_code | String | null | The metro code (DMA) of the incoming request's IP address. Returns the designated market area code for the client's location.

Example filter expression

ip.src.metro_code eq "501"

For more information, refer to the Fields reference.

This week's release focuses on improvements to existing detections to enhance coverage.

Key Findings

• Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

• Details include rule merges and action changes from Log to Block for various beta rules including Atlassian Confluence - Code Injection - CVE:CVE-2021-26084 - Beta and PostgreSQL - SQLi - Copy - Beta, and new detections with Disabled actions.

Emergency release notes

This emergency release introduces rules for CVE-2025-55183 and CVE-2025-55184, targeting server-side function exposure and resource-exhaustion patterns, respectively.

Key Findings

Added coverage for Leaking Server Functions (CVE-2025-55183) and React Function DoS detection (CVE-2025-55184).

Impact

These updates strengthen protection for server-function abuse techniques (CVE-2025-55183, CVE-2025-55184) that may expose internal logic or disrupt application availability.

Details

Details include new rules with Block and Disabled actions for React - Leaking Server Functions and React - DoS.

This additional week's emergency release introduces improvements to our existing rule for React – Remote Code Execution – CVE-2025-55182 - 2, along with two new generic detections covering server-side function exposure and resource-exhaustion patterns.

Key Findings

Enhanced detection logic for React – RCE – CVE-2025-55182, added Generic – Server Function Source Code Exposure, and added Generic – Server Function Resource Exhaustion.

Impact

These updates strengthen protection against React RCE exploitation attempts and broaden coverage for common server-function abuse techniques that may expose internal logic or disrupt application availability.

Details

include improved detections with Block actions and new detections with Block and Disabled actions.

We are reinstating the maximum request-payload size the Cloudflare WAF inspects, with WAF on Enterprise zones inspecting up to 128 KB.

Key Findings

On December 5, 2025, we initially attempted to increase the maximum WAF payload limit to 1 MB across all plans. However, an automatic rollout for all customers proved impractical because the increase led to a surge in false positives for existing managed rules.

This issue was particularly notable within the Cloudflare Managed Ruleset and the Cloudflare OWASP Core Ruleset, impacting customer traffic.

Impact

Customers on paid plans can increase the limit to 1 MB for any of their zones by contacting Cloudflare Support. Free zones are already protected up to 1 MB and do not require any action.