GCP Release Notes: October 12, 2025

Apigee hybrid

Announcement

hybrid v1.15.1

On October 10, 2025 we released an updated version of the Apigee hybrid software, 1.15.1.

• For information on upgrading, see Upgrading Apigee hybrid to version 1.15.
• For information on new installations, see The big picture.

Feature

Recurring, top-up, and setup fees for Apigee hybrid monetization

Apigee hybrid now supports recurring, top-up, and setup fees for monetization. For information see Enabling monetization for Apigee hybrid.

Feature

Apigee policies for LLM/GenAI workloads

Apigee hybrid now supports the following Apigee policies with support for LLM/GenAI workloads.

• SemanticCacheLookup policy
• SemanticCachePopulate policy
• SanitizeUserPrompt
• SanitizeModelResponse

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

• Get started with semantic caching policies
• Get started with Apigee Model Armor policies

Fixed

Bug ID	Description
451375397	The apigee-pull-push.sh script could return a No such image error message.
445912919	Unused files and folders have been removed from the Apigee hybrid Helm charts to prevent potential security exposure and streamline the product installation and upgrade process.
442501403	Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a <LoadBalancer>.
437999897	Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses.
431930277, 395272878	When the configuration property envs.managementCallsSkipProxy is set to true via helm for environment-level forward proxy, trace and analytics (which use googleapis.com) will skip forward proxy.
423597917	Post of an AppGroupAppKey scopes should result in insert operation instead of update.
419578402	Mint-Mart forward proxy compatible.
416634326	Presence of istio.io Custom Resource Definitions (CRDs) in an Apigee hybrid cluster could cause failure in apigee-ingressgateway-manager pods.
412740465	Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway.
409048431	Fixes a vulnerability which could allow a SAML signature verification to be bypassed.
378686709	The use of wildcards (*) in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error. To apply this fix, follow the procedure in Known issue 378686709.
367815792	Two new Flow Variables: app_group_app and app_group_name have been added to VerifyApiKey and Access Token policy.

Security

Bug ID	Description
448498138	Security fixes for apigee-runtime. This addresses the following vulnerability: CVE-2024-40094
447367372	Security fixes for apigee-runtime. This addresses the following vulnerability: CVE-2025-58057
418557195	Security fixes for apigee-fluent-bit. This addresses the following vulnerabilities: CVE-2025-24528 CVE-2025-4207 CVE-2025-1390 CVE-2024-26462 CVE-2024-13176
N/A	Security fixes for apigee-fluent-bit. This addresses the following vulnerabilities: CVE-2025-32990 CVE-2025-32988
N/A	Security fixes for apigee-hybrid-cassandra. This addresses the following vulnerability: CVE-2025-23015
N/A	Security fixes for apigee-mart-server. This addresses the following vulnerabilities: CVE-2025-58057 CVE-2025-58056 CVE-2025-55163 CVE-2025-48924 CVE-2025-48795 CVE-2025-48734 CVE-2025-24970 CVE-2024-47554 CVE-2024-47535 CVE-2024-13009 CVE-2024-8184 CVE-2024-7254 CVE-2024-6763
N/A	Security fixes for apigee-stackdriver-logging-agent. This addresses the following vulnerabilities: CVE-2025-58767 CVE-2025-24294 CVE-2023-33953 CVE-2022-32511 CVE-2022-29181 CVE-2022-24839 CVE-2022-24836 CVE-2022-0759 CVE-2021-41817 CVE-2021-31799 CVE-2021-30560 CVE-2021-28965 CVE-2021-23214 CVE-2020-25695 CVE-2020-25694 CVE-2020-25613 CVE-2019-3881 CVE-2018-25032 CVE-2018-1115 CVE-2018-10915 CVE-2018-1058 CVE-2018-1053 CVE-2017-7546 CVE-2017-7484 CVE-2017-15098 CVE-2017-14798 CVE-2016-7954 CVE-2016-7048 CVE-2016-5424 CVE-2016-5423 CVE-2016-0766 CVE-2015-3167 CVE-2015-3166 CVE-2015-0244 CVE-2015-0243 CVE-2015-0241

Changed

Documentation change

The following documents have been changed or introduced to align the Apigee hybrid installation guides with the supported methods for service account authentication:

• Service account authentication methods in Apigee hybrid – A new overview topic for service account authentication.
• Storing service account keys in Kubernetes secrets – A new topic.
• Step 4: Create service accounts – Rewritten to accommodate all supported methods of service account authentication.
• Step 5: Set up service account authentication – A new topic on configuring authentication after creating service accounts.
• Step 7: Create the overrides and Step 11: Install Apigee hybrid Using Helm – Topics revised to provide templates, examples, and procedures for each supported type of service account authentication.
• Step 11(Optional): Configure Workload Identity – Topic removed. The procedures are included in Step 11: Install Apigee hybrid Using Helm: WIF for GKE

Source: Google Cloud Platform