Engineering Insights

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025

Starting December 1, 2025, list endpoints for the Cloudflare Tunnel API and Zero Trust Networks API will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified. No action is required if you already explicitly set is_deleted=false or if you only need to list active resources. This change affects the following API endpoints: List all tunnels: GET /accounts/{ac

Make your ZeroGPU Spaces go brrr with ahead-of-time compilation

Email security - Updated Email security roles

To provide more granular controls, we refined the existing roles for Email security and launched a new Email security role as well. All Email security roles no longer have read or write access to any of the other Zero Trust products: Email Configuration Admin Email Integration Admin Email security Read Only Email security Analyst Email security Policy Admin Email security Reporting To configure Data Loss Prevention (DLP) or Remote Browser Isolation (RBI), you now need to be an admin for the Zero

WAF - WAF Release - 2025-09-01

This week's update This week, a critical vulnerability was disclosed in Fortinet FortiWeb (versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and versions 7.0.10 and below), linked to improper parameter handling that could allow unauthorized access. Key Findings Fortinet FortiWeb (CVE-2025-52970): A vulnerability may allow an unauthenticated remote attacker with access to non-public information to log in as any existing user on the device via a specially crafted reque

CVE-2025-57752

Summary Impact Resolution Credit References A vulnerability affecting has been addressed. It impacted versions prior to and , and involved a cache poisoning issue that caused sensitive image responses from API routes to be cached and subsequently served to unauthorized users.Next.js Image Optimizationv15.4.5v14.2.31 Vercel deployments were never impacted by this vulnerability. When API routes are used to return image content that varies based on headers (e.g., , ), and those images are passed

CVE-2025-55173

Summary Impact Resolution Credit References A vulnerability affecting has been addressed. It impacted versions prior to and , and involved a scenario where attacker-controlled external image servers could serve crafted responses that result in arbitrary file downloads with attacker-defined filenames and content.Next.js Image Optimizationv15.4.5v14.2.31 Your Vercel deployments are safe by default. A patch applied on July 29th, 2025 eliminated exposure for all Vercel-hosted customers. Self-hoste

CVE-2025-57822

Summary Impact Resolution Workarounds Credit References A vulnerability affecting has been addressed. It impacted versions prior to and , and involved a risk introduced by misconfigured usage of the function within middleware. Applications that reflected a user's request headers in this function, rather than passing them through the object, could unintentionally allow the server to issue requests to attacker-controlled destinations. Next.js Middlewarev14.2.32v15.4.7Server-Side Request Forge

Cache - Smart Tiered Cache Fallback to Generic

Smart Tiered Cache now falls back to Generic Tiered Cache when the origin location cannot be determined, improving cache precision for your content. Previously, when Smart Tiered Cache was unable to select the optimal upper tier (such as when origins are masked by Anycast IPs), latency could be negatively impacted. This fallback now uses Generic Tiered Cache instead, providing better performance and cache efficiency. How it works When Smart Tiered Cache falls back to Generic Tiered Cache: Multip