# Native Node Artifact Versions and Changelog

This document lists available [versions](https://docs.wallarm.com/updating-migrating/versioning-policy.md) of the [Native Wallarm Node](https://docs.wallarm.com/installation/nginx-native-node-internals.md#native-node) 0.14.x+ in various form factors, helping you track releases and plan upgrades.

## All-in-one installer

The all-in-one installer for the Native Node is used for [connectors](https://docs.wallarm.com/installation/nginx-native-node-internals.md#connectors_1).

History of all-in-one installer updates simultaneously applies to it's x86_64 and ARM64 versions.

[How to upgrade](https://docs.wallarm.com/updating-migrating/native-node/all-in-one.md)

### 0.25.1 (2026-05-21)

* Added full support for the [ME (Middle East) Wallarm Cloud](https://docs.wallarm.com/about-wallarm/overview.md#cloud) in the [all-in-one installer](https://docs.wallarm.com/installation/native-node/all-in-one.md):

    * Interactive mode now lists **ME Cloud** alongside the US and EU options.
    * The `-c, --cloud` flag now accepts `ME` as a value.
    * The `-H, --host` flag description now references `me1.api.wallarm.com`.
* Added the [`http_inspector.wmcp_enabled`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#http_inspectorwmcp_enabled) configuration parameter (default `true`) that lets you opt out of MCP traffic analysis even when it would otherwise be enabled automatically by your Wallarm subscription
* Added [`connector.app_reply_timeout`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorapp_reply_timeout) and [`connector.app_reply_timeout_code`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorapp_reply_timeout_code) configuration parameters that enforce a hard time-based cut-off on request handling in `connector-server` mode. Use them when the upstream caller (for example, an API gateway) requires a strict response budget per request
* Fixed an issue where MCP session locations were not invalidated on configuration reload, causing stale entries to persist after reconfiguration
* Fixed an issue where attack requests were silently dropped from the export pipeline when `acl.enabled: false` was set, breaking attack reporting in deployments with ACL disabled
* Bumped Go version to 1.26.3
* Fixed security vulnerabilities:

    * [CVE-2026-42499](https://nvd.nist.gov/vuln/detail/CVE-2026-42499)
    * [CVE-2026-39836](https://nvd.nist.gov/vuln/detail/CVE-2026-39836)
    * [CVE-2026-39820](https://nvd.nist.gov/vuln/detail/CVE-2026-39820)
    * [CVE-2026-33814](https://nvd.nist.gov/vuln/detail/CVE-2026-33814)
    * [CVE-2026-33811](https://nvd.nist.gov/vuln/detail/CVE-2026-33811)
    * [CVE-2026-44432](https://nvd.nist.gov/vuln/detail/CVE-2026-44432)
    * [CVE-2026-44431](https://nvd.nist.gov/vuln/detail/CVE-2026-44431)

### 0.25.0 (2026-05-04)

* Added support for [MCP server discovery](https://docs.wallarm.com/agentic-ai/mcp-discovery.md) in API Discovery
* Added support for [MCP Sessions](https://docs.wallarm.com/api-sessions/mcp-sessions.md)
* Added [MCP mitigation controls](https://docs.wallarm.com/agentic-ai/mcp-mitigation-controls.md): ACL policy, request verification, and tool input schema enforcement
* Added HEX encoding attack detection — the Node now decodes and analyzes HEX-encoded payloads, improving protection against obfuscation-based bypass techniques
* Fixed [API Specification Enforcement](https://docs.wallarm.com/updating-migrating/api-specification-enforcement/overview.md) incorrectly reporting requests as "undefined endpoint" for OpenAPI specs that define a base path in the `servers` block

### 0.24.1 (2026-04-27)

* Added the [`metrics.per_host_stats`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#metricsper_host_stats) configuration parameter to control per-host metrics collection (enabled by default)
* Bumped Go version to 1.26.2
* Fixed intermittent errors in custom ruleset loading and GraphQL processing
* Fixed occasional panic in [`tcp-capture-v2`](https://docs.wallarm.com/installation/oob/tcp-traffic-mirror/deployment.md) mode

### 0.24.0 (2026-04-06)

* Added [authentication flow detection](https://docs.wallarm.com/api-discovery/authentication.md) in API Discovery — automatically identifies authentication methods used by each endpoint and highlights unauthenticated endpoints
* [TCP traffic mirror analysis](https://docs.wallarm.com/installation/oob/tcp-traffic-mirror/deployment.md) (`tcp-capture-v2` mode):

    * Added support for [VXLAN](https://docs.wallarm.com/installation/oob/tcp-traffic-mirror/deployment.md#vxlan) and [GENEVE](https://docs.wallarm.com/installation/oob/tcp-traffic-mirror/deployment.md#geneve) decapsulation, including automatic support for [AWS VPC Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html) (GENEVE with nested VXLAN)
    * Added new configuration parameters: [`tcp_stream.from_vxlan`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#tcp_streamfrom_vxlan) and [`tcp_stream.from_geneve`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#tcp_streamfrom_geneve) for receiving encapsulated mirrored traffic
    * Fixed issues that caused missing and unanalyzed requests, incorrect response-to-request association, and VLAN ID mishandling
    * Fixed incorrect reassembly of interlaced packets captured from multiple interfaces in promiscuous mode
* Changed default [`log.proton_log_mask`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#logproton_log_mask) from `info@*` to `info+@*` to show warning and error messages from the traffic analysis engine (previously only info-level messages were displayed)
* Changed default [`http_inspector.shm_dir`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#http_inspectorshm_dir) from `/tmp` to `/opt/wallarm/shm` for better compatibility with containerized environments
* Fixed [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) not triggering [specification processing overlimit](https://docs.wallarm.com/api-specification-enforcement/viewing-events.md#overlimit-events) events for requests exceeding size or time limits
* Updated [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md):

    | Change | Metric |
    |--------|--------|
    | New | `wallarm_gonode_tcp_stream_input_packets_total{source=…}` |
    | New | `wallarm_gonode_tcp_stream_input_bytes_total{source=…}` |
    | New | `wallarm_gonode_tcp_stream_output_packets_total` |
    | New | `wallarm_gonode_tcp_stream_output_bytes_total` |
    | New | `wallarm_gonode_tcp_stream_packets_rejected_total{reason=…}` |
    | New | `wallarm_gonode_tcp_stream_bytes_rejected_total{reason=…}` |
    | New | `wallarm_gonode_tcp_reassembler_http_decode_bytes_decoded_total` |
    | New | `wallarm_gonode_tcp_reassembler_http_flow_bytes_rejected_total` |
    | New | `wallarm_gonode_tcp_reassembler_container_is_overloaded` |
    | New | `wallarm_gonode_tcp_reassembler_http_unpaired_messages` |
    | New | `wallarm_gonode_tcp_stream_diag_interface_counters_total` |
    | New | `wallarm_gonode_tcp_stream_errors_total` (Geneve/VXLAN error types) |
    | New | `wallarm_gonode_envoy_external_filter_requests_blocked_total` |
    | Changed | `wallarm_gonode_tcp_stream_diag_interface_info` — now only reports MTU; I/O counters moved to `diag_interface_counters_total` |
    | Changed | Per-host metrics (`*_per_host_total`) — `host` label is now validated, normalized to lowercase; invalid/oversized values bucketed under `__invalid_host__` |
    | Renamed | `…errors_total{type="ResponseBeforeRequest"}` → `…{type="ResponseReadyBeforeRequest"}` |
    | Removed | `wallarm_gonode_tcp_stream_tcp_packets_read_total` |
    | Removed | `wallarm_gonode_http_connector_server_errors_total{type="MsgType"}` |
* Fixed minor stability and reliability issues

### 0.23.2 (2026-03-24)

* Fixed the [GHSA-6g7g-w4f8-9c9x](https://github.com/advisories/GHSA-6g7g-w4f8-9c9x) vulnerability

### 0.23.1 (2026-03-19)

* Fixed a memory leak in the [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) component that caused steadily increasing memory consumption and eventual OOMKill pod restarts
* Added new traffic metrics to the [`wallarm-status`](https://docs.wallarm.com/admin-en/configure-statistics-service.md) statistics service: `bytes_blocked_in`, `bytes_blocked_out`, `bytes_blocked_by_acl_in`, and `bytes_blocked_by_acl_out`

    These counters track the volume of incoming and outgoing traffic in blocked requests, split by block reason (attack/overlimit/antibot vs. denylists). Available in JSON, Prometheus, and per-application split formats.
* Bumped Go version to 1.26.1
* Fixed a shared memory allocation bug in the statistics service initialization that could lead to data corruption under high load
* Fixed memory limit handling for **wcli** jobs
* Fixed security vulnerabilities:

    * [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
    * [CVE-2026-27137](https://nvd.nist.gov/vuln/detail/CVE-2026-27137)
    * [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)
    * [CVE-2026-27141](https://nvd.nist.gov/vuln/detail/CVE-2026-27141)
    * [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142)
    * [CVE-2026-27138](https://nvd.nist.gov/vuln/detail/CVE-2026-27138)
    * [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139)

### 0.23.0 (2026-02-24)

* Added support for circular references in OpenAPI specifications uploaded for [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md)
* Added support for OpenAPI v3 specifications with non-string (for example, integer) YAML keys in [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md). This improves compatibility and prevents schema parsing failures
* Increased the frequency of session updates sent to the Wallarm Cloud. Sessions now appear in the UI faster, closer to real time
* Improved memory usage monitoring and prevention of resource exhaustion
* Added API token masking in Node logs to prevent sensitive data exposure
* Fixed the [CVE-2026-21441](https://scout.docker.com/vulnerabilities/id/CVE-2026-21441) vulnerability
* Fixed an issue where the Node sent too many requests in a single batch to **wstore**, causing submission failures
* Fixed an issue where the installer script failed with the "Incorrect config content for tcp-capture-v2 mode" error when the [`mode`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#mode-required) parameter value was quoted
* Minor bug fixes and performance improvements

### 0.22.2 (2026-05-08)

* Added [`connector.app_reply_timeout`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorapp_reply_timeout) and [`connector.app_reply_timeout_code`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorapp_reply_timeout_code) configuration parameters that enforce a hard time-based cut-off on request handling in `connector-server` mode. Use them when the upstream caller (for example, an API gateway) requires a strict response budget per request

### 0.22.1 (2026-02-03)

* Fixed an issue where real IP header overrides were not applied when the header value contained an IP address with a port

### 0.22.0 (2025-12-23)

* Added support for the [Gloo Gateway connector](https://docs.wallarm.com/installation/connectors/gloo.md)
* Fixed the issue where integers were not being masked when using the ["Mask sensitive data" rule](https://docs.wallarm.com/user-guides/rules/sensitive-data-rule.md)
* Fixed the issue where responses containing infoleak stamps were being blocked

    Wallarm no longer blocks such responses, as doing so caused false detections and prevented rules from being edited
* Fixed connector server waiting for the response data that is known to never arrive

### 0.21.0 (2025-12-17)

* Added support for the [Amazon API Gateway connector](https://docs.wallarm.com/installation/connectors/aws-api-gateway.md)
* Added the `client_uuid` label to all `*_per_app*` and `*_per_host*` [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md) for Nodes running in multi-tenant mode
* Fixed the issue where the [`wallarm_status` service statistics](https://docs.wallarm.com/admin-en/configure-statistics-service.md) contained the outdated `abnormal` metric, which was incorrectly increasing with each request

    The metric and other outdated fields have been removed.
* Fixed an issue where large or overlapping denylisted IP ranges were not being blocked in Security Edge-hosted environments

### 0.20.0 (2025-11-25)

* Introduced support for OpenAPI 3.1 in the [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) feature — you can now upload specifications in version 3.1 format to compare traffic against them, identify mismatches, and mitigate related security risks
* Added [Prometheus metrics support](https://docs.wallarm.com/admin-en/native-node-metrics-wstore.md) for the Postanalytics **wstore** component. The metrics are available by default at `http://localhost:9001/metrics` using the `tcp4` (IPv4-only) protocol

    You can change the default metrics host, port, and protocol by setting the following environment variables when deploying the Node:

    * `WALLARM_WSTORE__METRICS__LISTEN_ADDRESS` — defines the host and port
    * `WALLARM_WSTORE__METRICS__PROTOCOL` — defines the protocol

* Added [Prometheus metrics support](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md#wallarm_gonode_apifw_) for API Specification Enforcement service operation (based on the built-in API Firewall service). API Firewall metrics are included as part of the [`go-node` Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics.md)
* Removed support for the deprecated `http_inspector.real_ip_header` configuration parameter
* Improved Node initialization logs — added detailed information about component type, supported versions, error source, API endpoint, and Node UUID to simplify troubleshooting during the initialization stage
* Fixed the [CVE-2025-58188](https://www.cve.org/CVERecord?id=CVE-2025-58188) vulnerability
* Bug fixes:

    * Fixed an issue where the Aggregation/**wcli** container could enter a crash loop due to an out-of-memory (OOM) condition
    * Fixed an issue where the Node raised an error when a JWT token was sent in the `Authorization: Bearer` header
    * Fixed invalid type error when editing automatically created rules for attacks detected in gRPC responses
    * Fixed a race condition in out-of-band connectors, resolving the `FlowIsMissingRequest`, `FlowIsMissingResponse`, and occasional duplicate ID errors
    * Fixed the issue where the `verdict` field in `go-node` access logs was occasionally missing, incorrectly formatted, and not JSON-compatible

### 0.19.0 (2025-10-07)

* Added support for [blocking attackers by API sessions](https://docs.wallarm.com/api-sessions/blocking.md)
* Added [multitenancy support](https://docs.wallarm.com/installation/multi-tenant/overview.md)
* Changed the default **wstore** binding to IPv4 (`tcp4`), it now listens only on IPv4 instead of dual‑stack

    If your configuration uses `localhost` for **wstore**, update it to `127.0.0.1`.
* Introduced protocol selection (tcp, tcp4, tcp6) using the `WALLARM_WSTORE__SERVICE__PROTOCOL` environment variable, which can be set in `/opt/wallarm/env.list`

    The default value is `"tcp4"`.
* Relaxed content-type validation in [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md): requests with image MIME types (`image/png`, `image/jpeg`, `image/gif`, `image/webp`, `image/avif`, `image/heic`, `image/heif`, `image/bmp`, `image/tiff`, `image/svg+xml`) are no longer rejected
* Bumped Go version to 1.24
* Bug fixes:

    * Fixed an issue where the `go-node` process could segfault in production environments
    * Fixed an issue where response context parameters configured in [API Sessions](https://docs.wallarm.com/api-sessions/setup.md) were not uploaded to the Wallarm Cloud
    * Fixed an issue with incorrect [`remote_addr`](https://docs.wallarm.com/user-guides/rules/request-processing.md#ip-address-of-a-request-origin) parsing

### 0.18.0 (2025-09-17)

* Added support for the [Azure API Management connector](https://docs.wallarm.com/installation/connectors/azure-api-management.md)
* Added support for the [Apigee API Management connector](https://docs.wallarm.com/installation/connectors/apigee.md)
* Updated Go version to 1.25
* `http_inspector.workers: auto` now respects Kubernetes `cgroup` limits
* Optimized mesh balancing logic for scale-up and scale-down events
* Bug fixes:

    * Fixed issue where the `go-node` process did not terminate correctly when stopped too early
    * Fixed issue where the `go-node` process ignored failures of metrics/health-check/mesh listeners
    * Fixed issue where `http_inspector` workers silently ignored ACL errors, addressing the most common source of these errors

### 0.17.1 (2025-08-15)

* Fixed the stuffed credentials export to the Cloud
* Improved GraphQL parser
* Optimized the internal channel between the Node and wstore to increase throughput
    
    This prevents potential data loss when the Node ingests traffic faster than it can export it to postanalytics.
* Fixed an issue where serialized requests without a source IP address failed to be exported to postanalytics
* Bug fixes and internal improvements

### 0.16.3 (2025-08-05)

* Added support for the [Akamai connector](https://docs.wallarm.com/installation/connectors/akamai-edgeworkers.md)
* Fixed a silent failure when upgrading with the `--preserve` flag set to `true`

### 0.16.1 (2025-08-01)

* Added new [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics.md):

    * `wallarm_gonode_application_info` with the general Native Node instance information, e.g.:
    
        ```bash
        wallarm_gonode_application_info{deployment_type="node-native-aio-installer",mode="connector-server",version="0.16.1"} 1
        ```
    
    * `wallarm_gonode_http_inspector_balancer_workers`
    * `wallarm_gonode_http_inspector_debug_container_len` now includes `aggregate="sum"` for `type="channel:in"`
    * `wallarm_gonode_http_inspector_errors_total` now includes a new `type="FlowTimeouts"`
* Improved stability in the internal `http_inspector` module

### 0.16.0 (2025-07-23)

* Added support for [file upload restriction policy](https://docs.wallarm.com/api-protection/file-upload-restriction.md) via mitigation controls
* Added support for [unrestricted resource consumption](https://docs.wallarm.com/attacks-vulns-list.md#unrestricted-resource-consumption) mitigation by [API Abuse Prevention](https://docs.wallarm.com/api-abuse-prevention/overview.md)
* Added support for the [MuleSoft Flex Gateway connector](https://docs.wallarm.com/installation/connectors/mulesoft-flex.md)
* Introduced the [`input_filters`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#input_filters) configuration section, allowing to define which requests should be inspected or bypassed by the Node
* Fixed memory leak
* In rules, the separator used in [**xml_tag**](https://docs.wallarm.com/user-guides/rules/request-processing.md#xml) values that combine a URI, namespace, and tag name has been changed from `:` to `|`
* Fixed blocking issue with denylisted origins and Wallarm Console UI-configured mode
* Internal improvements

### 0.15.1 (2025-07-08)

* Added support for [mitigation control-based](https://docs.wallarm.com/api-protection/graphql-rule.md#mitigation-control-based-protection) **GraphQL API Protection**
* Introduced the [`proxy_headers`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#proxy_headers) configuration to configure trusted networks and extract real client IP and host headers
* Added the [`metrics.namespace`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#metricsnamespace) configuration option to customize the prefix of Prometheus metrics exposed by the `go-node` binary
* Fixed the `--preserve` script flag behavior to correctly retain the existing `node.yaml` and `env.list` files during upgrade

    Previously, these files could be overwritten, resulting in loss of configuration.
* Added [`connector.per_connection_limits`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorper_connection_limits) to control `keep-alive` connection limits
* Minor internal file structure change
* Fixed wstore ports binding: now bound to `127.0.0.1` instead of `0.0.0.0`
* Fixed the [CVE-2025-22874](https://nvd.nist.gov/vuln/detail/CVE-2025-22874) vulnerability
* Fixed the [CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273) vulnerability

### 0.14.1 (2025-05-07)

* Added support for [**enumeration**](https://docs.wallarm.com/api-protection/enumeration-attack-protection.md) mitigation controls
* Added support for [**DoS protection**](https://docs.wallarm.com/api-protection/dos-protection.md) mitigation control
* Added support for the [IBM API Connect connector](https://docs.wallarm.com/installation/connectors/ibm-api-connect.md)
* Fixed the [CVE-2024-56406](https://nvd.nist.gov/vuln/detail/CVE-2024-56406), [CVE-2025-31115](https://nvd.nist.gov/vuln/detail/CVE-2025-31115) vulnerabilities
* Added support for external health check endpoint in the `connector-server` mode

    This is controlled by the new [`connector.external_health_check`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorexternal_health_check) configuration section.
* Fixed a recurring intermittent bug that could cause occasional corruption of request and response bodies
* Fixed incorrect display of Native Node versions in Wallarm Console → **Nodes**

### 0.14.0 (2025-04-16)

* Wallarm Node now uses **wstore**, a Wallarm-developed service, instead of Tarantool for local postanalytics processing
* The collectd service, previously installed on all filtering nodes, has been removed along with its related plugins
    
    Metrics are now collected and sent using Wallarm's built-in mechanisms, reducing dependencies on external tools.

## Helm chart

The Helm chart for the Native Node is used for self-hosted node deployments with the [connectors](https://docs.wallarm.com/installation/nginx-native-node-internals.md#connectors_1).

[How to upgrade](https://docs.wallarm.com/updating-migrating/native-node/helm-chart.md)

### 0.25.1 (2026-05-21)

* Fixed an issue where MCP session locations were not invalidated on configuration reload, causing stale entries to persist after reconfiguration
* Fixed an issue where attack requests were silently dropped from the export pipeline when `acl.enabled: false` was set, breaking attack reporting in deployments with ACL disabled
* Bumped Go version to 1.26.3
* Fixed security vulnerabilities:

    * [CVE-2026-42499](https://nvd.nist.gov/vuln/detail/CVE-2026-42499)
    * [CVE-2026-39836](https://nvd.nist.gov/vuln/detail/CVE-2026-39836)
    * [CVE-2026-39820](https://nvd.nist.gov/vuln/detail/CVE-2026-39820)
    * [CVE-2026-33814](https://nvd.nist.gov/vuln/detail/CVE-2026-33814)
    * [CVE-2026-33811](https://nvd.nist.gov/vuln/detail/CVE-2026-33811)

### 0.25.0 (2026-05-04)

* Added support for [MCP server discovery](https://docs.wallarm.com/agentic-ai/mcp-discovery.md) in API Discovery
* Added support for [MCP Sessions](https://docs.wallarm.com/api-sessions/mcp-sessions.md)
* Added [MCP mitigation controls](https://docs.wallarm.com/agentic-ai/mcp-mitigation-controls.md): ACL policy, request verification, and tool input schema enforcement
* Added HEX encoding attack detection — the Node now decodes and analyzes HEX-encoded payloads, improving protection against obfuscation-based bypass techniques
* Fixed [API Specification Enforcement](https://docs.wallarm.com/updating-migrating/api-specification-enforcement/overview.md) incorrectly reporting requests as "undefined endpoint" for OpenAPI specs that define a base path in the `servers` block

### 0.24.1 (2026-04-27)

* Bumped Go version to 1.26.2
* Fixed intermittent errors in custom ruleset loading and GraphQL processing

### 0.24.0 (2026-04-06)

* Added [authentication flow detection](https://docs.wallarm.com/api-discovery/authentication.md) in API Discovery — automatically identifies authentication methods used by each endpoint and highlights unauthenticated endpoints
* Fixed [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) not triggering [specification processing overlimit](https://docs.wallarm.com/api-specification-enforcement/viewing-events.md#overlimit-events) events for requests exceeding size or time limits
* Updated [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md):

    | Change | Metric |
    |--------|--------|
    | New | `wallarm_gonode_envoy_external_filter_requests_blocked_total` |
    | Changed | Per-host metrics (`*_per_host_total`) — `host` label is now validated, normalized to lowercase; invalid/oversized values bucketed under `__invalid_host__` |
    | Renamed | `…errors_total{type="ResponseBeforeRequest"}` → `…{type="ResponseReadyBeforeRequest"}` |
    | Removed | `wallarm_gonode_http_connector_server_errors_total{type="MsgType"}` |
* Fixed minor stability and reliability issues

### 0.23.2 (2026-03-24)

* Fixed the [GHSA-6g7g-w4f8-9c9x](https://github.com/advisories/GHSA-6g7g-w4f8-9c9x) vulnerability

### 0.23.1 (2026-03-19)

* Fixed a memory leak in the [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) component that caused steadily increasing memory consumption and eventual OOMKill pod restarts
* Added new traffic metrics to the [`wallarm-status`](https://docs.wallarm.com/admin-en/configure-statistics-service.md) statistics service: `bytes_blocked_in`, `bytes_blocked_out`, `bytes_blocked_by_acl_in`, and `bytes_blocked_by_acl_out`

    These counters track the volume of incoming and outgoing traffic in blocked requests, split by block reason (attack/overlimit/antibot vs. denylists). Available in JSON, Prometheus, and per-application split formats.
* Bumped Go version to 1.26.1
* Fixed a shared memory allocation bug in the statistics service initialization that could lead to data corruption under high load
* Fixed memory limit handling for **wcli** jobs
* Fixed security vulnerabilities:

    * [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
    * [CVE-2026-27137](https://nvd.nist.gov/vuln/detail/CVE-2026-27137)
    * [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)
    * [CVE-2026-27141](https://nvd.nist.gov/vuln/detail/CVE-2026-27141)
    * [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142)
    * [CVE-2026-27138](https://nvd.nist.gov/vuln/detail/CVE-2026-27138)
    * [CVE-2026-22184](https://nvd.nist.gov/vuln/detail/CVE-2026-22184)
    * [CVE-2026-27171](https://nvd.nist.gov/vuln/detail/CVE-2026-27171)
    * [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139)

### 0.23.0 (2026-02-24)

* Improved the Helm chart for high-availability deployments by adding pod disruption budgets, tuning resource settings, and introducing the [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) and [`startupProbe`](https://kubernetes.io/docs/concepts/configuration/liveness-readiness-startup-probes/#startup-probe) values
* Added support for circular references in OpenAPI specifications uploaded for [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md)
* Added support for OpenAPI v3 specifications with non-string (for example, integer) YAML keys in [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md). This improves compatibility and prevents schema parsing failures
* Increased the frequency of session updates sent to the Wallarm Cloud. Sessions now appear in the UI faster, closer to real time
* Improved memory usage monitoring and prevention of resource exhaustion
* Added API token masking in Node logs to prevent sensitive data exposure
* Fixed the [CVE-2026-21441](https://scout.docker.com/vulnerabilities/id/CVE-2026-21441) vulnerability
* Fixed an issue where the Node sent too many requests in a single batch to **wstore**, causing submission failures
* Minor bug fixes and performance improvements

### 0.22.1 (2026-02-03)

* Fixed an issue where real IP header overrides were not applied when the header value contained an IP address with a port

### 0.22.0 (2025-12-23)

* Added support for the [Gloo Gateway connector](https://docs.wallarm.com/installation/connectors/gloo.md)
* Added support for Kong Ingress Controller connector 1.1.0 with new `inspect_response` and `inspect_response_body` [configuration parameters](https://docs.wallarm.com/installation/connectors/kong-ingress-controller.md#configuration-options)
* Fixed the issue where integers were not being masked when using the ["Mask sensitive data" rule](https://docs.wallarm.com/user-guides/rules/sensitive-data-rule.md)
* Fixed the issue where responses containing infoleak stamps were being blocked

    Wallarm no longer blocks such responses, as doing so caused false detections and prevented rules from being edited
* Fixed connector server waiting for the response data that is known to never arrive

### 0.21.0 (2025-12-17)

* Added support for the [Amazon API Gateway connector](https://docs.wallarm.com/installation/connectors/aws-api-gateway.md)
* Added the `client_uuid` label to all `*_per_app*` and `*_per_host*` [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md) for Nodes running in multi-tenant mode
* Fixed the issue where the [`wallarm_status` service statistics](https://docs.wallarm.com/admin-en/configure-statistics-service.md) contained the outdated `abnormal` metric, which was incorrectly increasing with each request

    The metric and other outdated fields have been removed.
* Fixed an issue where large or overlapping denylisted IP ranges were not being blocked in Security Edge-hosted environments
* Fixed the following vulnerabilities:
    
    * [CVE-2025-66418](https://nvd.nist.gov/vuln/detail/CVE-2025-66418)
    * [CVE-2025-66471](https://nvd.nist.gov/vuln/detail/CVE-2025-66471)
    * [CVE-2024-58251](https://nvd.nist.gov/vuln/detail/CVE-2024-58251)
    * [CVE-2025-46394](https://nvd.nist.gov/vuln/detail/CVE-2025-46394)

### 0.20.0 (2025-11-25)

* Introduced support for OpenAPI 3.1 in the [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) feature — you can now upload specifications in version 3.1 format to compare traffic against them, identify mismatches, and mitigate related security risks
* Added [Prometheus metrics support](https://docs.wallarm.com/admin-en/native-node-metrics-wstore.md) for the Postanalytics **wstore** component. The metrics are available by default at `http://localhost:9001/metrics` using the `tcp4` (IPv4-only) protocol

    You can change the default metrics host, port, and protocol by setting the following in `values.yaml`:

    * [`config.aggregation.metrics.listenAddress`](https://docs.wallarm.com/installation/native-node/helm-chart-conf.md#configaggregationmetricslistenaddress) — defines the host and port
    * [`config.aggregation.metrics.protocol`](https://docs.wallarm.com/installation/native-node/helm-chart-conf.md#configaggregationmetricsprotocol) — defines the protocol

* Added [Prometheus metrics support](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md#wallarm_gonode_apifw_) for API Specification Enforcement service operation (based on the built-in API Firewall service). API Firewall metrics are included as part of the [`go-node` Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics.md)
* Improved Node initialization logs — added detailed information about component type, supported versions, error source, API endpoint, and Node UUID to simplify troubleshooting during the initialization stage
* Switched to native HTTP readiness and liveness probes for the **wstore** component
* Fixed the [CVE-2025-58188](https://www.cve.org/CVERecord?id=CVE-2025-58188) vulnerability
* Bug fixes:

    * Fixed an issue where the Aggregation/**wcli** container could enter a crash loop due to an out-of-memory (OOM) condition
    * Fixed the issue where the Node raised an error when a JWT token was sent in the `Authorization: Bearer` header
    * Fixed invalid type error when editing automatically created rules for attacks detected in gRPC responses
    * Fixed a race condition in out-of-band connectors, resolving the `FlowIsMissingRequest`, `FlowIsMissingResponse`, and occasional duplicate ID errors
    * Fixed the issue where the `verdict` field in `go-node` access logs was occasionally missing, incorrectly formatted, and not JSON-compatible

### 0.19.0 (2025-10-07)

* Added support for [blocking attackers by API sessions](https://docs.wallarm.com/api-sessions/blocking.md)
* Added [multitenancy support](https://docs.wallarm.com/installation/multi-tenant/overview.md)
* Changed the default **wstore** binding to IPv4 (`tcp4`), it now listens only on IPv4 instead of dual‑stack
* Introduced the protocol selection (tcp, tcp4, tcp6) configuration parameter: [`config.aggregation.serviceProtocol`](https://docs.wallarm.com/installation/native-node/helm-chart-conf.md#configaggregationserviceprotocol) 

    The default value is `"tcp4"`.
* Changed the default value of [config.aggregation.serviceAddress](https://docs.wallarm.com/installation/native-node/helm-chart-conf.md#configaggregationserviceaddress) to `0.0.0.0:3313`

    This allows IPv4 traffic only. If you are using a custom value, make sure it matches the selected `config.aggregation.serviceProtocol`.    
* Relaxed content-type validation in [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md): requests with image MIME types (`image/png`, `image/jpeg`, `image/gif`, `image/webp`, `image/avif`, `image/heic`, `image/heif`, `image/bmp`, `image/tiff`, `image/svg+xml`) are no longer rejected
* Bumped Go version to 1.24
* Set the default value for `config.connector.per_connection_limits.max_duration` to 1m (1 minute)
* Bug fixes:

    * Fixed an issue where the `go-node` process could segfault in production environments
    * Fixed an issue where response context parameters configured in [API Sessions](https://docs.wallarm.com/api-sessions/setup.md) were not uploaded to the Wallarm Cloud
    * Fixed an issue with incorrect [remote_addr](https://docs.wallarm.com/user-guides/rules/request-processing.md#ip-address-of-a-request-origin) parsing
    * Fixed an issue where processing affinity was not applied correctly in the Native Node Helm chart

### 0.18.0 (2025-09-17)

* Added support for the [Azure API Management connector](https://docs.wallarm.com/installation/connectors/azure-api-management.md)
* Added support for the [Apigee API Management connector](https://docs.wallarm.com/installation/connectors/apigee.md)
* Updated Go version to 1.25
* `http_inspector.workers: auto` now respects Kubernetes `cgroup` limits
* Optimized mesh balancing logic for scale-up and scale-down events
* Bug fixes:

    * Fixed issue where the `go-node` process did not terminate correctly when stopped too early
    * Fixed issue where the `go-node` process ignored failures of metrics/health-check/mesh listeners
    * Fixed issue where `http_inspector` workers silently ignored ACL errors, addressing the most common source of these errors

### 0.17.1 (2025-08-15)

* Introduced the [`proxy_headers`](https://docs.wallarm.com/installation/native-node/helm-chart-conf.md#configconnectorproxy_headers) configuration to configure trusted networks and extract real client IP and host headers
* Fixed the stuffed credentials export to the Cloud
* Improved GraphQL parser
* Optimized the internal channel between the Node and wstore to increase throughput
    
    This prevents potential data loss when the Node ingests traffic faster than it can export it to postanalytics.
* Fixed an issue where serialized requests without a source IP address failed to be exported to postanalytics
* Bug fixes and internal improvements

### 0.16.3 (2025-08-05)

* Added support for the [Akamai connector](https://docs.wallarm.com/installation/connectors/akamai-edgeworkers.md)
* Bug fixes

### 0.16.1 (2025-08-01)

* Introduced the [`input_filters`](https://docs.wallarm.com/installation/native-node/helm-chart-conf.md#configconnectorinput_filters) configuration section, allowing to define which requests should be inspected or bypassed by the Node
* Added new [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics.md):

    * `wallarm_gonode_application_info` with the general Native Node instance information, e.g.:
    
        ```bash
        wallarm_gonode_application_info{deployment_type="node-native-aio-installer",mode="connector-server",version="0.16.1"} 1
        ```
    
    * `wallarm_gonode_http_inspector_balancer_workers`
    * `wallarm_gonode_http_inspector_debug_container_len` now includes `aggregate="sum"` for `type="channel:in"`
    * `wallarm_gonode_http_inspector_errors_total` now includes a new `type="FlowTimeouts"`
* Deprecated the Wallarm Connector for [Istio that relied on a Lua plugin](https://docs.wallarm.com/5.x/installation/connectors/istio.md)

    We recommend using the [gRPC-based external processing filter for Istio](https://docs.wallarm.com/installation/connectors/istio.md) instead.
* For the deprecated Istio connector, the following improvements were made to ensure compatibility in existing deployments:

    * Fixed mesh balancing logic for messages
    * Added the `disable_mesh` parameter to process all connector traffic on the Node without mesh balancing (`false` by default - mesh balancing is enabled)
* Improved stability in the internal `http_inspector` module

### 0.16.0 (2025-07-23)

* Added support for [file upload restriction policy](https://docs.wallarm.com/api-protection/file-upload-restriction.md) via mitigation controls
* Added support for [unrestricted resource consumption](https://docs.wallarm.com/attacks-vulns-list.md#unrestricted-resource-consumption) mitigation by [API Abuse Prevention](https://docs.wallarm.com/api-abuse-prevention/overview.md)
* Added support for the [MuleSoft Flex Gateway connector](https://docs.wallarm.com/installation/connectors/mulesoft-flex.md)
* Fixed memory leak
* In rules, the separator used in [**xml_tag**](https://docs.wallarm.com/user-guides/rules/request-processing.md#xml) values that combine a URI, namespace, and tag name has been changed from `:` to `|`
* Fixed blocking issue with denylisted origins and Wallarm Console UI-configured mode
* Internal improvements

### 0.15.1 (2025-07-08)

* Added support for [mitigation control-based](https://docs.wallarm.com/api-protection/graphql-rule.md#mitigation-control-based-protection) **GraphQL API Protection**
* Added support for the [`config.aggregation.serviceAddress`](https://docs.wallarm.com/installation/native-node/helm-chart-conf.md#configaggregationserviceaddress) parameter to customize the address and port for incoming **wstore** connections
* Minor internal file structure change
* Fixed the [CVE-2025-22874](https://nvd.nist.gov/vuln/detail/CVE-2025-22874) vulnerability
* Fixed the [CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273) vulnerability


### 0.14.1 (2025-05-07)

* Added support for the [IBM API Connect connector](https://docs.wallarm.com/installation/connectors/ibm-api-connect.md)
* Fixed the [CVE-2025-22871](https://nvd.nist.gov/vuln/detail/CVE-2025-22871) vulnerability
* Fixed handling of `clusterIP: None` in Helm chart headless service
* Fixed a recurring intermittent bug that could cause occasional corruption of request and response bodies
* Fixed incorrect display of Native Node versions in Wallarm Console → **Nodes**

### 0.14.0 (2025-04-16)

* Wallarm Node now uses **wstore**, a Wallarm-developed service, instead of Tarantool for local postanalytics processing
* All `tarantool` references in `values.yaml` (including container names and parameter keys) have been renamed to `wstore`

    If you override these parameters in your configuration, update their names accordingly.
* The collectd service, previously installed on all filtering nodes, has been removed along with its related plugins
    
    Metrics are now collected and sent using Wallarm's built-in mechanisms, reducing dependencies on external tools.
* Renamed the `container` label to `type` in all Prometheus metrics matching `*_container_*` to prevent conflicts with Kubernetes system labels

## Docker image

The Docker image for the Native Node is used for self-hosted node deployment with the [connectors](https://docs.wallarm.com/installation/nginx-native-node-internals.md#connectors_1).

[How to upgrade](https://docs.wallarm.com/updating-migrating/native-node/docker-image.md)

### 0.25.1 (2026-05-21)

* Added the [`http_inspector.wmcp_enabled`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#http_inspectorwmcp_enabled) configuration parameter (default `true`) that lets you opt out of MCP traffic analysis even when it would otherwise be enabled automatically by your Wallarm subscription
* Added [`connector.app_reply_timeout`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorapp_reply_timeout) and [`connector.app_reply_timeout_code`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorapp_reply_timeout_code) configuration parameters that enforce a hard time-based cut-off on request handling in `connector-server` mode. Use them when the upstream caller (for example, an API gateway) requires a strict response budget per request
* Fixed an issue where MCP session locations were not invalidated on configuration reload, causing stale entries to persist after reconfiguration
* Fixed an issue where attack requests were silently dropped from the export pipeline when `acl.enabled: false` was set, breaking attack reporting in deployments with ACL disabled
* Bumped Go version to 1.26.3
* Fixed security vulnerabilities:

    * [CVE-2026-42499](https://nvd.nist.gov/vuln/detail/CVE-2026-42499)
    * [CVE-2026-39836](https://nvd.nist.gov/vuln/detail/CVE-2026-39836)
    * [CVE-2026-39820](https://nvd.nist.gov/vuln/detail/CVE-2026-39820)
    * [CVE-2026-33814](https://nvd.nist.gov/vuln/detail/CVE-2026-33814)
    * [CVE-2026-33811](https://nvd.nist.gov/vuln/detail/CVE-2026-33811)
    * [CVE-2026-44432](https://nvd.nist.gov/vuln/detail/CVE-2026-44432)
    * [CVE-2026-44431](https://nvd.nist.gov/vuln/detail/CVE-2026-44431)

### 0.25.0 (2026-05-04)

* Added support for [MCP server discovery](https://docs.wallarm.com/agentic-ai/mcp-discovery.md) in API Discovery
* Added support for [MCP Sessions](https://docs.wallarm.com/api-sessions/mcp-sessions.md)
* Added [MCP mitigation controls](https://docs.wallarm.com/agentic-ai/mcp-mitigation-controls.md): ACL policy, request verification, and tool input schema enforcement
* Added HEX encoding attack detection — the Node now decodes and analyzes HEX-encoded payloads, improving protection against obfuscation-based bypass techniques
* Fixed [API Specification Enforcement](https://docs.wallarm.com/updating-migrating/api-specification-enforcement/overview.md) incorrectly reporting requests as "undefined endpoint" for OpenAPI specs that define a base path in the `servers` block

### 0.24.1 (2026-04-27)

* Added the [`metrics.per_host_stats`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#metricsper_host_stats) configuration parameter to control per-host metrics collection (enabled by default)
* Bumped Go version to 1.26.2
* Fixed intermittent errors in custom ruleset loading and GraphQL processing

### 0.24.0 (2026-04-06)

* Added [authentication flow detection](https://docs.wallarm.com/api-discovery/authentication.md) in API Discovery — automatically identifies authentication methods used by each endpoint and highlights unauthenticated endpoints
* Changed default [`log.proton_log_mask`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#logproton_log_mask) from `info@*` to `info+@*` to show warning and error messages from the traffic analysis engine (previously only info-level messages were displayed)
* Changed default [`http_inspector.shm_dir`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#http_inspectorshm_dir) from `/tmp` to `/opt/wallarm/shm` for better compatibility with containerized environments
* Fixed [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) not triggering [specification processing overlimit](https://docs.wallarm.com/api-specification-enforcement/viewing-events.md#overlimit-events) events for requests exceeding size or time limits
* Updated [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md):

    | Change | Metric |
    |--------|--------|
    | New | `wallarm_gonode_envoy_external_filter_requests_blocked_total` |
    | Changed | Per-host metrics (`*_per_host_total`) — `host` label is now validated, normalized to lowercase; invalid/oversized values bucketed under `__invalid_host__` |
    | Renamed | `…errors_total{type="ResponseBeforeRequest"}` → `…{type="ResponseReadyBeforeRequest"}` |
    | Removed | `wallarm_gonode_http_connector_server_errors_total{type="MsgType"}` |
* Fixed minor stability and reliability issues

### 0.23.2 (2026-03-24)

* Fixed the [GHSA-6g7g-w4f8-9c9x](https://github.com/advisories/GHSA-6g7g-w4f8-9c9x) vulnerability

### 0.23.1 (2026-03-19)

* Fixed a memory leak in the [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) component that caused steadily increasing memory consumption and eventual OOMKill pod restarts
* Added new traffic metrics to the [`wallarm-status`](https://docs.wallarm.com/admin-en/configure-statistics-service.md) statistics service: `bytes_blocked_in`, `bytes_blocked_out`, `bytes_blocked_by_acl_in`, and `bytes_blocked_by_acl_out`

    These counters track the volume of incoming and outgoing traffic in blocked requests, split by block reason (attack/overlimit/antibot vs. denylists). Available in JSON, Prometheus, and per-application split formats.
* Bumped Go version to 1.26.1
* Fixed a shared memory allocation bug in the statistics service initialization that could lead to data corruption under high load
* Fixed memory limit handling for **wcli** jobs
* Fixed security vulnerabilities:

    * [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
    * [CVE-2026-27137](https://nvd.nist.gov/vuln/detail/CVE-2026-27137)
    * [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)
    * [CVE-2026-27141](https://nvd.nist.gov/vuln/detail/CVE-2026-27141)
    * [CVE-2026-24049](https://nvd.nist.gov/vuln/detail/CVE-2026-24049)
    * [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142)
    * [CVE-2026-27138](https://nvd.nist.gov/vuln/detail/CVE-2026-27138)
    * [CVE-2026-22184](https://nvd.nist.gov/vuln/detail/CVE-2026-22184)
    * [CVE-2026-27171](https://nvd.nist.gov/vuln/detail/CVE-2026-27171)
    * [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139)

### 0.23.0 (2026-02-24)

* Added support for circular references in OpenAPI specifications uploaded for [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md)
* Added support for OpenAPI v3 specifications with non-string (for example, integer) YAML keys in [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md). This improves compatibility and prevents schema parsing failures
* Increased the frequency of session updates sent to the Wallarm Cloud. Sessions now appear in the UI faster, closer to real time
* Improved memory usage monitoring and prevention of resource exhaustion
* Added API token masking in Node logs to prevent sensitive data exposure
* Fixed the [CVE-2026-21441](https://scout.docker.com/vulnerabilities/id/CVE-2026-21441) vulnerability
* Fixed an issue where the Node sent too many requests in a single batch to **wstore**, causing submission failures
* Minor bug fixes and performance improvements

### 0.22.2 (2026-05-08)

* Added [`connector.app_reply_timeout`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorapp_reply_timeout) and [`connector.app_reply_timeout_code`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorapp_reply_timeout_code) configuration parameters that enforce a hard time-based cut-off on request handling in `connector-server` mode. Use them when the upstream caller (for example, an API gateway) requires a strict response budget per request

### 0.22.1 (2026-02-03)

* Fixed an issue where real IP header overrides were not applied when the header value contained an IP address with a port

### 0.22.0 (2025-12-23)

* Added support for the [Gloo Gateway connector](https://docs.wallarm.com/installation/connectors/gloo.md)
* Fixed the issue where integers were not being masked when using the ["Mask sensitive data" rule](https://docs.wallarm.com/user-guides/rules/sensitive-data-rule.md)
* Fixed the issue where responses containing infoleak stamps were being blocked

    Wallarm no longer blocks such responses, as doing so caused false detections and prevented rules from being edited
* Fixed connector server waiting for the response data that is known to never arrive

### 0.21.0 (2025-12-17)

* Added support for the [Amazon API Gateway connector](https://docs.wallarm.com/installation/connectors/aws-api-gateway.md)
* Added the `client_uuid` label to all `*_per_app*` and `*_per_host*` [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md) for Nodes running in multi-tenant mode
* Fixed the issue where the [`wallarm_status` service statistics](https://docs.wallarm.com/admin-en/configure-statistics-service.md) contained the outdated `abnormal` metric, which was incorrectly increasing with each request

    The metric and other outdated fields have been removed.
* Fixed an issue where large or overlapping denylisted IP ranges were not being blocked in Security Edge-hosted environments
* Fixed the following vulnerabilities:

    * [CVE-2025-66418](https://nvd.nist.gov/vuln/detail/CVE-2025-66418)
    * [CVE-2025-66471](https://nvd.nist.gov/vuln/detail/CVE-2025-66471)
    * [CVE-2024-58251](https://nvd.nist.gov/vuln/detail/CVE-2024-58251)
    * [CVE-2025-46394](https://nvd.nist.gov/vuln/detail/CVE-2025-46394)

### 0.20.0 (2025-11-25)

* Introduced support for OpenAPI 3.1 in the [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) feature — you can now upload specifications in version 3.1 format to compare traffic against them, identify mismatches, and mitigate related security risks
* Added [Prometheus metrics support](https://docs.wallarm.com/admin-en/native-node-metrics-wstore.md) for the Postanalytics **wstore** component. The metrics are available by default at `http://localhost:9001/metrics` using the `tcp4` (IPv4-only) protocol

    You can change the default metrics host, port, and protocol by setting the following environment variables when deploying the Node:

    * `WALLARM_WSTORE__METRICS__LISTEN_ADDRESS` — defines the host and port
    * `WALLARM_WSTORE__METRICS__PROTOCOL` — defines the protocol

* Added [Prometheus metrics support](https://docs.wallarm.com/admin-en/native-node-metrics-gonode.md#wallarm_gonode_apifw_)for API Specification Enforcement service operation (based on the built-in API Firewall service). API Firewall metrics are included as part of the [`go-node` Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics.md)
* Removed support for the deprecated `http_inspector.real_ip_header` configuration parameter
* Improved Node initialization logs — added detailed information about component type, supported versions, error source, API endpoint, and Node UUID to simplify troubleshooting during the initialization stage
* Fixed the [CVE-2025-58188](https://www.cve.org/CVERecord?id=CVE-2025-58188) vulnerability
* Bug fixes:

    * Fixed an issue where the Aggregation/**wcli** container could enter a crash loop due to an out-of-memory (OOM) condition
    * Fixed an issue where the Node raised an error when a JWT token was sent in the `Authorization: Bearer` header
    * Fixed invalid type error when editing automatically created rules for attacks detected in gRPC responses
    * Fixed a race condition in out-of-band connectors, resolving the `FlowIsMissingRequest`, `FlowIsMissingResponse`, and occasional duplicate ID errors
    * Fixed the issue where the `verdict` field in `go-node` access logs was occasionally missing, incorrectly formatted, and not JSON-compatible

### 0.19.0 (2025-10-07)

* Added support for [blocking attackers by API sessions](https://docs.wallarm.com/api-sessions/blocking.md)
* Added [multitenancy support](https://docs.wallarm.com/installation/multi-tenant/overview.md)
* Changed the default **wstore** binding to IPv4 (`tcp4`), it now listens only on IPv4 instead of dual‑stack

    If your configuration uses `localhost` for **wstore**, update it to `127.0.0.1`.
* Introduced protocol selection (tcp, tcp4, tcp6) via the [`WALLARM_WSTORE__SERVICE__PROTOCOL`](https://docs.wallarm.com/installation/native-node/docker-image.md#4-run-the-docker-container) environment variable

    The default value is `"tcp4"`.
* Relaxed content-type validation in [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md): requests with image MIME types (`image/png`, `image/jpeg`, `image/gif`, `image/webp`, `image/avif`, `image/heic`, `image/heif`, `image/bmp`, `image/tiff`, `image/svg+xml`) are no longer rejected
* Bumped Go version to 1.24
* Bug fixes:

    * Fixed an issue where the `go-node` process could segfault in production environments
    * Fixed an issue where response context parameters configured in [API Sessions](https://docs.wallarm.com/api-sessions/setup.md) were not uploaded to the Wallarm Cloud    
    * Fixed an issue with incorrect [remote_addr](https://docs.wallarm.com/user-guides/rules/request-processing.md#ip-address-of-a-request-origin) parsing

### 0.18.0 (2025-09-17)

* Added support for the [Azure API Management connector](https://docs.wallarm.com/installation/connectors/azure-api-management.md)
* Added support for the [Apigee API Management connector](https://docs.wallarm.com/installation/connectors/apigee.md)
* Updated Go version to 1.25
* `http_inspector.workers: auto` now respects Kubernetes `cgroup` limits
* Optimized mesh balancing logic for scale-up and scale-down events
* Bug fixes:

    * Fixed issue where the `go-node` process did not terminate correctly when stopped too early
    * Fixed issue where the `go-node` process ignored failures of metrics/health-check/mesh listeners
    * Fixed issue where `http_inspector` workers silently ignored ACL errors, addressing the most common source of these errors

### 0.17.1 (2025-08-15)

* Fixed the stuffed credentials export to the Cloud
* Improved GraphQL parser
* Optimized the internal channel between the Node and wstore to increase throughput
    
    This prevents potential data loss when the Node ingests traffic faster than it can export it to postanalytics.
* Fixed an issue where serialized requests without a source IP address failed to be exported to postanalytics
* Bug fixes and internal improvements

### 0.16.3 (2025-08-05)

* Added support for the [Akamai connector](https://docs.wallarm.com/installation/connectors/akamai-edgeworkers.md)
* Fixed a silent failure when upgrading with the `--preserve` flag set to `true`

### 0.16.1 (2025-08-01)

* Added new [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics.md):

    * `wallarm_gonode_application_info` with the general Native Node instance information, e.g.:
    
        ```bash
        wallarm_gonode_application_info{deployment_type="node-native-aio-installer",mode="connector-server",version="0.16.1"} 1
        ```
    
    * `wallarm_gonode_http_inspector_balancer_workers`
    * `wallarm_gonode_http_inspector_debug_container_len` now includes `aggregate="sum"` for `type="channel:in"`
    * `wallarm_gonode_http_inspector_errors_total` now includes a new `type="FlowTimeouts"`
* Improved stability in the internal `http_inspector` module

### 0.16.0 (2025-07-23)

* Added support for [file upload restriction policy](https://docs.wallarm.com/api-protection/file-upload-restriction.md) via mitigation controls
* Added support for [unrestricted resource consumption](https://docs.wallarm.com/attacks-vulns-list.md#unrestricted-resource-consumption) mitigation by [API Abuse Prevention](https://docs.wallarm.com/api-abuse-prevention/overview.md)
* Added support for the [MuleSoft Flex Gateway connector](https://docs.wallarm.com/installation/connectors/mulesoft-flex.md)
* Introduced the [`input_filters`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#input_filters) configuration section, allowing to define which requests should be inspected or bypassed by the Node
* Fixed memory leak
* In rules, the separator used in [**xml_tag**](https://docs.wallarm.com/user-guides/rules/request-processing.md#xml) values that combine a URI, namespace, and tag name has been changed from `:` to `|`
* Fixed blocking issue with denylisted origins and Wallarm Console UI-configured mode
* Internal improvements

### 0.15.1 (2025-07-08)

* Added support for [mitigation control-based](https://docs.wallarm.com/api-protection/graphql-rule.md#mitigation-control-based-protection) **GraphQL API Protection**
* Introduced the [`proxy_headers`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#proxy_headers) configuration to configure trusted networks and extract real client IP and host headers
* Added the [`metrics.namespace`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#metricsnamespace) configuration option to customize the prefix of Prometheus metrics exposed by the `go-node` binary
* Added [`connector.per_connection_limits`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorper_connection_limits) to control `keep-alive` connection limits
* Minor internal file structure change
* Fixed wstore ports binding: now bound to `127.0.0.1` instead of `0.0.0.0`
* Fixed the [CVE-2025-22874](https://nvd.nist.gov/vuln/detail/CVE-2025-22874) vulnerability
* Fixed the [CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273) vulnerability

### 0.14.1 (2025-05-07)

* Added support for the [IBM API Connect connector](https://docs.wallarm.com/installation/connectors/ibm-api-connect.md)
* Fixed the [CVE-2025-22871](https://nvd.nist.gov/vuln/detail/CVE-2025-22871) vulnerability
* Added support for external health check endpoint

    This is controlled by the new [`connector.external_health_check`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#connectorexternal_health_check) configuration section.
* Fixed a recurring intermittent bug that could cause occasional corruption of request and response bodies
* Fixed incorrect display of Native Node versions in Wallarm Console → **Nodes**

### 0.14.0 (2025-04-16)

* Wallarm Node now uses **wstore**, a Wallarm-developed service, instead of Tarantool for local postanalytics processing
* The collectd service, previously installed on all filtering nodes, has been removed along with its related plugins
    
    Metrics are now collected and sent using Wallarm's built-in mechanisms, reducing dependencies on external tools.

## Amazon Machine Image (AMI)



### 0.14.0 (2025-05-07)

* Initial release