---
title: Changelog
description: This week's release focuses on improvements to existing detections to enhance coverage.
image: https://developers.cloudflare.com/core-services-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/waf/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/waf.xml) 

## 2026-01-15

  
**WAF Release - 2026-01-15**   

This week's release focuses on improvements to existing detections to enhance coverage.

**Key Findings**

* Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                   | Previous Action | New Action | Comments                                                                                |
| -------------------------- | ----------- | -------------- | ----------------------------- | --------------- | ---------- | --------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...ad7dad3e | N/A            | SQLi - String Function - Beta | Log             | Block      | This rule is merged into the original rule "SQLi - String Function" (ID: ...d32b798c  ) |
| Cloudflare Managed Ruleset | ...9e553ad3 | N/A            | SQLi - Sub Query - Beta       | Log             | Block      | This rule is merged into the original rule "SQLi - Sub Query" (ID: ...743e66b1  )       |

## 2026-01-12

  
**WAF Release - 2026-01-12**   

This week's release focuses on improvements to existing detections to enhance coverage.

**Key Findings**

* Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                        | Previous Action | New Action | Comments                                                                                     |
| -------------------------- | ----------- | -------------- | ---------------------------------- | --------------- | ---------- | -------------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...48a1841a | N/A            | SQLi - AND/OR MAKE\_SET/ELT - Beta | Log             | Block      | This rule is merged into the original rule "SQLi - AND/OR MAKE\_SET/ELT" (ID: ...252d3934  ) |
| Cloudflare Managed Ruleset | ...9e553ad3 | N/A            | SQLi - Benchmark Function - Beta   | Log             | Block      | This rule is merged into the original rule "SQLi - Benchmark Function" (ID: ...2ebc44ad  )   |

## 2025-12-18

  
**WAF Release - 2025-12-18**   

This week's release focuses on improvements to existing detections to enhance coverage.

**Key Findings**

* Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                       | Previous Action | New Action | Comments                                                                                                                    |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------------- | --------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...be5ec20c | N/A            | Atlassian Confluence - Code Injection - CVE:CVE-2021-26084 - Beta | Log             | Block      | This rule is merged into the original rule "Atlassian Confluence - Code Injection - CVE:CVE-2021-26084" (ID: ...69e0b97a  ) |
| Cloudflare Managed Ruleset | ...0d9206e3 | N/A            | PostgreSQL - SQLi - Copy - Beta                                   | Log             | Block      | This rule is merged into the original rule "PostgreSQL - SQLi - COPY" (ID: ...e7265a4e  )                                   |
| Cloudflare Managed Ruleset | ...0cd00ba7 | N/A            | Generic Rules - Command Execution - Body                          | Log             | Disabled   | This is a new detection.                                                                                                    |
| Cloudflare Managed Ruleset | ...cd679ad4 | N/A            | Generic Rules - Command Execution - Header                        | Log             | Disabled   | This is a new detection.                                                                                                    |
| Cloudflare Managed Ruleset | ...fd181fb3 | N/A            | Generic Rules - Command Execution - URI                           | Log             | Disabled   | This is a new detection.                                                                                                    |
| Cloudflare Managed Ruleset | ...7a95bc3a | N/A            | SQLi - Tautology - URI - Beta                                     | Log             | Block      | This rule is merged into the original rule "SQLi - Tautology - URI" (ID: ...b3de2e0a  )                                     |
| Cloudflare Managed Ruleset | ...432ac90d | N/A            | SQLi - WaitFor Function - Beta                                    | Log             | Block      | This rule is merged into the original rule "SQLi - WaitFor Function" (ID: ...d5faba59  )                                    |
| Cloudflare Managed Ruleset | ...596c741e | N/A            | SQLi - AND/OR Digit Operator Digit 2 - Beta                       | Log             | Block      | This rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit" (ID: ...88d80772  )                         |
| Cloudflare Managed Ruleset | ...03b2f3fe | N/A            | SQLi - Equation 2 - Beta                                          | Log             | Block      | This rule is merged into the original rule "SQLi - Equation" (ID: ...a72a6b3a  )                                            |

## 2025-12-11

  
**WAF Release - 2025-12-11 - Emergency**   

This emergency release introduces rules for CVE-2025-55183 and CVE-2025-55184, targeting server-side function exposure and resource-exhaustion patterns, respectively.

**Key Findings**

Added coverage for Leaking Server Functions (CVE-2025-55183) and React Function DoS detection (CVE-2025-55184).

**Impact**

These updates strengthen protection for server-function abuse techniques (CVE-2025-55183, CVE-2025-55184) that may expose internal logic or disrupt application availability.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                           | Previous Action | New Action | Comments                                                            |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------- | --------------- | ---------- | ------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...fefb4e9b | N/A            | React - Leaking Server Functions - CVE:CVE-2025-55183 | N/A             | Block      | This was labeled as Generic - Server Function Source Code Exposure. |
| Cloudflare Free Ruleset    | ...251e86aa | N/A            | React - Leaking Server Functions - CVE:CVE-2025-55183 | N/A             | Block      | This was labeled as Generic - Server Function Source Code Exposure. |
| Cloudflare Managed Ruleset | ...102ec699 | N/A            | React - DoS - CVE:CVE-2025-55184                      | N/A             | Disabled   | This was labeled as Generic – Server Function Resource Exhaustion.  |

## 2025-12-10

  
**WAF Release - 2025-12-10 - Emergency**   

This additional week's emergency release introduces improvements to our existing rule for React – Remote Code Execution – CVE-2025-55182 - 2, along with two new generic detections covering server-side function exposure and resource-exhaustion patterns.

**Key Findings**

Enhanced detection logic for React – RCE – CVE-2025-55182, added Generic – Server Function Source Code Exposure, and added Generic – Server Function Resource Exhaustion.

**Impact**

These updates strengthen protection against React RCE exploitation attempts and broaden coverage for common server-function abuse techniques that may expose internal logic or disrupt application availability.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                            | Previous Action | New Action | Comments                       |
| -------------------------- | ----------- | -------------- | ------------------------------------------------------ | --------------- | ---------- | ------------------------------ |
| Cloudflare Managed Ruleset | ...15fce168 | N/A            | React - Remote Code Execution - CVE:CVE-2025-55182 - 2 | N/A             | Block      | This is an improved detection. |
| Cloudflare Free Ruleset    | ...74746aff | N/A            | React - Remote Code Execution - CVE:CVE-2025-55182 - 2 | N/A             | Block      | This is an improved detection. |
| Cloudflare Managed Ruleset | ...fefb4e9b | N/A            | Generic - Server Function Source Code Exposure         | N/A             | Block      | This is a new detection.       |
| Cloudflare Free Ruleset    | ...251e86aa | N/A            | Generic - Server Function Source Code Exposure         | N/A             | Block      | This is a new detection.       |
| Cloudflare Managed Ruleset | ...102ec699 | N/A            | Generic - Server Function Resource Exhaustion          | N/A             | Disabled   | This is a new detection.       |

## 2025-12-05

  
**Increased WAF payload limit for all plans**   

Cloudflare WAF now inspects request-payload size of up to 1 MB across all plans to enhance our detection capabilities for React RCE (CVE-2025-55182).

**Key Findings**

React payloads commonly have a default maximum size of 1 MB. Cloudflare WAF previously inspected up to 128 KB on Enterprise plans, with even lower limits on other plans.

**Update:** We later reinstated the maximum request-payload size the Cloudflare WAF inspects. Refer to [Updating the WAF maximum payload values](https://developers.cloudflare.com/changelog/2025-12-05-waf-max-payload-size-change/) for details.

## 2025-12-05

  
**Updating the WAF maximum payload values**   

We are reinstating the maximum request-payload size the Cloudflare WAF inspects, with WAF on Enterprise zones inspecting up to 128 KB.

**Key Findings**

On [December 5, 2025](https://developers.cloudflare.com/changelog/2025-12-05-rcs-vuln/), we initially attempted to increase the maximum WAF payload limit to 1 MB across all plans. However, an automatic rollout for all customers proved impractical because the increase led to a surge in false positives for existing managed rules.

This issue was particularly notable within the Cloudflare Managed Ruleset and the Cloudflare OWASP Core Ruleset, impacting customer traffic.

**Impact**

Customers on paid plans can increase the limit to 1 MB for any of their zones by contacting Cloudflare Support. Free zones are already protected up to 1 MB and do not require any action.

## 2025-12-03

  
**WAF Release - 2025-12-03 - Emergency**   

The WAF rule deployed yesterday to block unsafe deserialization-based RCE has been updated. The rule description now reads “React – RCE – CVE-2025-55182”, explicitly mapping to the recently disclosed React Server Components vulnerability. Detection logic remains unchanged.

**Key Findings**

Rule description updated to reference React – RCE – CVE-2025-55182 while retaining existing unsafe-deserialization detection.

**Impact**

Improved classification and traceability with no change to coverage against remote code execution attempts.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                      | Previous Action | New Action | Comments                                                |
| -------------------------- | ----------- | -------------- | -------------------------------- | --------------- | ---------- | ------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...5fb92fba | N/A            | React - RCE - CVE:CVE-2025-55182 | N/A             | Block      | Rule metadata description changed. Detection unchanged. |
| Cloudflare Free Ruleset    | ...99702280 | N/A            | React - RCE - CVE:CVE-2025-55182 | N/A             | Block      | Rule metadata description changed. Detection unchanged. |

## 2025-12-02

  
**WAF Release - 2025-12-02 - Emergency**   

This week's emergency release introduces a new rule to block a critical RCE vulnerability in widely-used web frameworks through unsafe deserialization patterns.

**Key Findings**

New WAF rule deployed for RCE Generic Framework to block malicious POST requests containing unsafe deserialization patterns. If successfully exploited, this vulnerability allows attackers with network access via HTTP to execute arbitrary code remotely.

**Impact**

* Successful exploitation allows unauthenticated attackers to execute arbitrary code remotely through crafted serialization payloads, enabling complete system compromise, data exfiltration, and potential lateral movement within affected environments.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description             | Previous Action | New Action | Comments                 |
| -------------------------- | ----------- | -------------- | ----------------------- | --------------- | ---------- | ------------------------ |
| Cloudflare Managed Ruleset | ...5fb92fba | N/A            | RCE Generic - Framework | N/A             | Block      | This is a new detection. |
| Cloudflare Free Ruleset    | ...99702280 | N/A            | RCE Generic - Framework | N/A             | Block      | This is a new detection. |

## 2025-12-01

  
**WAF Release - 2025-12-01**   

This week’s release introduces new detections for remote code execution attempts targeting Monsta FTP (CVE-2025-34299), alongside improvements to an existing XSS detection to enhance coverage.

**Key Findings**

* CVE-2025-34299 is a critical remote code execution flaw in Monsta FTP, arising from improper handling of user-supplied parameters within the file-handling interface. Certain builds allow crafted requests to bypass sanitization and reach backend PHP functions that execute arbitrary commands. Attackers can send manipulated parameters through the web panel to trigger command execution within the application’s runtime environment.

**Impact**

If exploited, the vulnerability enables full remote command execution on the underlying server, allowing takeover of the hosting environment, unauthorized file access, and potential lateral movement. As the flaw can be triggered without authentication on exposed Monsta FTP instances, it represents a severe risk for publicly reachable deployments.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                             | Previous Action | New Action | Comments                                                                                 |
| -------------------------- | ----------- | -------------- | ------------------------------------------------------- | --------------- | ---------- | ---------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...a4fcc8a8 | N/A            | Monsta FTP - Remote Code Execution - CVE:CVE-2025-34299 | Log             | Block      | This is a new detection                                                                  |
| Cloudflare Managed Ruleset | ...b7492846 | N/A            | XSS - JS Context Escape - Beta                          | Log             | Block      | This rule is merged into the original rule "XSS - JS Context Escape" (ID: ...7a3769d3  ) |

## 2025-11-24

  
**WAF Release - 2025-11-24**   

This week highlights enhancements to detection signatures improving coverage for vulnerabilities in FortiWeb, linked to CVE-2025-64446, alongside new detection logic expanding protection against PHP Wrapper Injection techniques.

**Key Findings**

This vulnerability enables an unauthenticated attacker to bypass access controls by abusing the `CGIINFO` header. The latest update strengthens detection logic to ensure a reliable identification of crafted requests attempting to exploit this flaw.

**Impact**

* FortiWeb (CVE-2025-64446): Exploitation allows a remote unauthenticated adversary to circumvent authentication mechanisms by sending a manipulated `CGIINFO` header to FortiWeb’s backend CGI handler. Successful exploitation grants unintended access to restricted administrative functionality, potentially enabling configuration tampering or system-level actions.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                              | Previous Action | New Action | Comments                                                                                            |
| -------------------------- | ----------- | -------------- | ------------------------------------------------------------------------ | --------------- | ---------- | --------------------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...4e2e1a2e | N/A            | FortiWeb - Authentication Bypass via CGIINFO Header - CVE:CVE-2025-64446 | Log             | Block      | This is a new detection                                                                             |
| Cloudflare Managed Ruleset | ...b6c44ed5 | N/A            | PHP Wrapper Injection - Body - Beta                                      | Log             | Disabled   | This rule has been merged into the original rule "PHP Wrapper Injection - Body" (ID: ...1a3e521e  ) |
| Cloudflare Managed Ruleset | ...900f4015 | N/A            | PHP Wrapper Injection - URI - Beta                                       | Log             | Disabled   | This rule has been merged into the original rule "PHP Wrapper Injection - URI" (ID: ...8f76bd74  )  |

## 2025-11-21

  
**WAF Release - 2025-11-21**   

This week’s release introduces a critical detection for CVE-2025-61757, a vulnerability in the Oracle Identity Manager REST WebServices component.

**Key Findings**

This flaw allows unauthenticated attackers with network access over HTTP to fully compromise the Identity Manager, potentially leading to a complete takeover.

**Impact**

Oracle Identity Manager (CVE-2025-61757): Exploitation could allow an unauthenticated remote attacker to bypass security checks by sending specially crafted requests to the application's message processor. This enables the creation of arbitrary employee accounts, which can be leveraged to modify system configurations and achieve full system compromise.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                 | Previous Action | New Action | Comments                 |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------- | --------------- | ---------- | ------------------------ |
| Cloudflare Managed Ruleset | ...39fdbe7e | N/A            | Oracle Identity Manager - Pre-Auth RCE - CVE:CVE-2025-61757 | N/A             | Block      | This is a new detection. |

## 2025-11-17

  
**WAF Release - 2025-11-17**   

This week highlights enhancements to detection signatures improving coverage for vulnerabilities in DELMIA Apriso, linked to CVE-2025-6205.

**Key Findings**

This vulnerability allows unauthenticated attackers to gain privileged access to the application. The latest update provides enhanced detection logic for resilient protection against exploitation attempts.

**Impact**

* DELMIA Apriso (CVE-2025-6205): Exploitation could allow an unauthenticated remote attacker to bypass security checks by sending specially crafted requests to the application's message processor. This enables the creation of arbitrary employee accounts, which can be leveraged to modify system configurations and achieve full system compromise.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                     | Previous Action | New Action | Comments                                                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------- | --------------- | ---------- | ------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...d256f4bc | N/A            | DELMIA Apriso - Auth Bypass - CVE:CVE-2025-6205 | Log             | Block      | This is a new detection.                                |
| Cloudflare Managed Ruleset | ...1a3e521e | N/A            | PHP Wrapper Injection - Body                    | N/A             | Disabled   | Rule metadata description refined. Detection unchanged. |
| Cloudflare Managed Ruleset | ...8f76bd74 | N/A            | PHP Wrapper Injection - URI                     | N/A             | Disabled   | Rule metadata description refined. Detection unchanged. |

## 2025-11-10

  
**WAF Release - 2025-11-10**   

This week’s release introduces new detections for Prototype Pollution across three common vectors: URI, Body, and Header/Form.

**Key Findings**

* These attacks can affect both API and web applications by altering normal behavior or bypassing security controls.

**Impact**

Exploitation may allow attackers to change internal logic or cause unexpected behavior in applications using JavaScript or Node.js frameworks. Developers should sanitize input keys and avoid merging untrusted data structures.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                         | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | --------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...606285e6 | N/A            | Generic Rules - Prototype Pollution - URI           | Log             | Disabled   | This is a new detection |
| Cloudflare Managed Ruleset | ...4f59ff26 | N/A            | Generic Rules - Prototype Pollution - Body          | Log             | Disabled   | This is a new detection |
| Cloudflare Managed Ruleset | ...7efbeb39 | N/A            | Generic Rules - Prototype Pollution - Header - Form | Log             | Disabled   | This is a new detection |

## 2025-11-05

  
**WAF Release - 2025-11-05 - Emergency**   

This week’s emergency release introduces a new detection signature that enhances coverage for a critical vulnerability in the React Native Metro Development Server, tracked as CVE-2025-11953.

**Key Findings**

The Metro Development Server exposes an HTTP endpoint that is vulnerable to OS command injection (CWE-78). An unauthenticated network attacker can send a crafted request to this endpoint and execute arbitrary commands on the host running Metro. The vulnerability affects Metro/cli-server-api builds used by React Native Community CLI in pre-patch development releases.

**Impact**

Successful exploitation of CVE-2025-11953 may result in remote command execution on developer workstations or CI/build agents, leading to credential and secret exposure, source tampering, and potential lateral movement into internal networks. Administrators and developers are strongly advised to apply the vendor's patches and restrict Metro’s network exposure to reduce this risk.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                 | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...c8e30c5b | N/A            | React Native Metro - Command Injection - CVE:CVE-2025-11953 | N/A             | Block      | This is a New Detection |

## 2025-11-03

  
**WAF Release - 2025-11-03**   

This week highlights enhancements to detection signatures improving coverage for vulnerabilities in Adobe Commerce and Magento Open Source, linked to CVE-2025-54236.

**Key Findings**

This vulnerability allows unauthenticated attackers to take over customer accounts through the Commerce REST API and, in certain configurations, may lead to remote code execution. The latest update provides enhanced detection logic for resilient protection against exploitation attempts.

**Impact**

* Adobe Commerce (CVE-2025-54236): Exploitation may allow attackers to hijack sessions, execute arbitrary commands, steal data, and disrupt storefronts, resulting in confidentiality and integrity risks for merchants. Administrators are strongly encouraged to apply vendor patches without delay.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                 | Previous Action | New Action | Comments                       |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------- | --------------- | ---------- | ------------------------------ |
| Cloudflare Managed Ruleset | ...cb6d5fe5 | 100774C        | Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236 | Log             | Block      | This is an improved detection. |

## 2025-10-30

  
**WAF Release - 2025-10-30 - Emergency**   

This week’s release introduces a new detection signature that enhances coverage for a critical vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61884.

**Key Findings**

The flaw is easily exploitable and allows an unauthenticated attacker with network access to compromise Oracle Configurator, which can grant access to sensitive resources and configuration data. The affected versions include 12.2.3 through 12.2.14.

**Impact**

Successful exploitation of CVE-2025-61884 may result in unauthorized access to critical business data or full exposure of information accessible through Oracle Configurator. Administrators are strongly advised to apply vendor's patches and recommended mitigations to reduce this exposure.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                         | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | --------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...8827402f | N/A            | Oracle E-Business Suite - SSRF - CVE:CVE-2025-61884 | N/A             | Block      | This is a New Detection |

## 2025-10-24

  
**WAF Release - 2025-10-24 - Emergency**   

This week’s release introduces a new detection signature that enhances coverage for a critical vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287.

**Key Findings**

The vulnerability allows unauthenticated attackers to potentially achieve remote code execution. The updated detection logic strengthens defenses by improving resilience against exploitation attempts targeting this flaw.

**Impact**

Successful exploitation of CVE-2025-59287 could enable attackers to hijack sessions, execute arbitrary commands, exfiltrate sensitive data, and disrupt storefront operations. These actions pose significant confidentiality and integrity risks to affected environments. Administrators should apply vendor patches immediately to mitigate exposure.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                           | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...bd72ba08 | N/A            | Windows Server - Deserialization - CVE:CVE-2025-59287 | N/A             | Block      | This is a New Detection |

## 2025-10-23

  
**WAF Release - 2025-10-23 - Emergency**   

This week highlights enhancements to detection signatures improving coverage for vulnerabilities in Adobe Commerce and Magento Open Source, linked to CVE-2025-54236.

**Key Findings**

This vulnerability allows unauthenticated attackers to take over customer accounts through the Commerce REST API and, in certain configurations, may lead to remote code execution. The latest update enhances detection logic to provide more resilient protection against exploitation attempts.

**Impact**

Adobe Commerce (CVE-2025-54236): Exploitation may allow attackers to hijack sessions, execute arbitrary commands, steal data, and disrupt storefronts, resulting in confidentiality and integrity risks for merchants. Administrators are strongly encouraged to apply vendor patches without delay.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                 | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...c6ef59a1 | N/A            | Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236 | N/A             | Block      | This is a New Detection |

## 2025-10-20

  
**WAF Release - 2025-10-20**   

This week’s update introduces an enhanced rule that expands detection coverage for a critical vulnerability in Oracle E-Business Suite. It also improves an existing rule to provide more reliable coverage in request processing.

**Key Findings**

New WAF rule deployed for Oracle E-Business Suite (CVE-2025-61882) to block unauthenticated attacker's network access via HTTP to compromise Oracle Concurrent Processing. If successfully exploited, this vulnerability may result in remote code execution.

**Impact**

* Successful exploitation of CVE-2025-61882 allows unauthenticated attackers to execute arbitrary code remotely by chaining multiple weaknesses, enabling lateral movement into internal services, data exfiltration, and large-scale extortionware deployment within Oracle E-Business Suite environments.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                              | Previous Action | New Action | Comments                                                                                                    |
| -------------------------- | ----------- | -------------- | ------------------------------------------------------------------------ | --------------- | ---------- | ----------------------------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...2b4101ab | 100598A        | Remote Code Execution - Common Bash Bypass - Beta                        | Log             | Block      | This rule is merged into the original rule "Remote Code Execution - Common Bash Bypass" (ID: ...50cec478  ) |
| Cloudflare Managed Ruleset | ...a1118614 | 100916A        | Oracle E-Business Suite - Remote Code Execution - CVE:CVE-2025-61882 - 2 | Log             | Block      | This is a New Detection                                                                                     |
| Cloudflare Managed Ruleset | ...c22b51d3 | N/A            | HTTP Truncated                                                           | N/A             | Disabled   | This is a New Detection                                                                                     |

## 2025-10-17

  
**New detections released for WAF managed rulesets**   

This week we introduced several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications.

**Key Findings**

New detections added for multiple exploit categories:

SSRF (Server-Side Request Forgery) — new rules targeting both local and cloud metadata abuse patterns (Beta).

SQL Injection (SQLi) — rules for common patterns, sleep/time-based injections, and string/wait function exploitation across headers and URIs.

SSTI (Server-Side Template Injection) — arithmetic-based probe detections introduced across URI, header, and body fields.

Reverse Shell and XXE payloads — enhanced heuristics for command execution and XML external entity misuse.

Prototype Pollution — new Beta rule identifying common JSON payload structures used in object prototype poisoning.

PHP Wrapper Injection and HTTP Parameter Pollution detections — to catch path traversal and multi-parameter manipulation attempts.

Anomaly Header Checks — detecting CRLF injection attempts in header names.

**Impact**

These updates help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering.

Prototype Pollution and HTTP parameter pollution rules address emerging JavaScript supply-chain exploitation patterns increasingly seen in real-world incidents.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                          | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ---------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...589f2a1d | N/A            | Anomaly:Header - name - CR, LF                       | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...132fab7e | N/A            | Generic Rules - Reverse Shell - Body                 | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1a027008 | N/A            | Generic Rules - Reverse Shell - Header               | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...958d0486 | N/A            | Generic Rules - Reverse Shell - URI                  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...8e0cf7ad | N/A            | Generic Rules - XXE - Body                           | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...bf8aab5e | N/A            | Generic Rules - SQLi - Common Patterns - Header URI  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...2e466337 | N/A            | Generic Rules - SQLi - Sleep Function - Header URI   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...b686ab47 | N/A            | Generic Rules - SQLi - String Function - Header URI  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...b0633709 | N/A            | Generic Rules - SQLi - WaitFor Function - Header URI | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...01a076eb | N/A            | SSRF - Local - Beta                                  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...743a63ec | N/A            | SSRF - Local - 2 - Beta                              | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...c2e84e2d | N/A            | SSRF - Cloud - Beta                                  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...ab8af26f | N/A            | SSRF - Cloud - 2 - Beta                              | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...e6e8dc5b | N/A            | SSTI - Arithmetic Probe - URI                        | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...2550d794 | N/A            | SSTI - Arithmetic Probe - Header                     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...659d12a6 | N/A            | SSTI - Arithmetic Probe - Body                       | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1a3e521e | N/A            | PHP Wrapper Injection                                | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...8f76bd74 | N/A            | PHP Wrapper Injection                                | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...091e296d | N/A            | HTTP parameter pollution                             | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...e34214ef | N/A            | Prototype Pollution - Common Payloads - Beta         | N/A             | Disabled   | This is a New Detection |

## 2025-10-13

  
**WAF Release - 2025-10-13**   

This week’s highlights include a new JinJava rule targeting a sandbox-bypass flaw that could allow malicious template input to escape execution controls. The rule improves detection for unsafe template rendering paths.

**Key Findings**

New WAF rule deployed for JinJava (CVE-2025-59340) to block a sandbox bypass in the template engine that permits attacker-controlled type construction and arbitrary class instantiation; in vulnerable environments this can escalate to remote code execution and full server compromise.

**Impact**

* CVE-2025-59340 — Exploitation enables attacker-supplied type descriptors / Jackson `ObjectMapper` abuse, allowing arbitrary class loading, file/URL access (LFI/SSRF primitives) and, with suitable gadget chains, potential remote code execution and system compromise.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                         | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...c04bab5f | 100892         | JinJava - SSTI - CVE:CVE-2025-59340 | Log             | Block      | This is a New Detection |

## 2025-10-07

  
**WAF Release - 2025-10-07 - Emergency**   

This week highlights multiple critical Cisco vulnerabilities (CVE-2025-20363, CVE-2025-20333, CVE-2025-20362). This flaw stems from improper input validation in HTTP(S) requests. An authenticated VPN user could send crafted requests to execute code as root, potentially compromising the device. The initial two rules were made available on September 28, with a third rule added today, October 7, for more robust protection.

* Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Multiple vulnerabilities that could allow attackers to exploit unsafe deserialization and input validation flaws. Successful exploitation may result in arbitrary code execution, privilege escalation, or command injection on affected systems.

**Impact**

Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection. Administrators are strongly advised to apply vendor updates immediately.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                                                                                            | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...3a4d1bd6 | 100788B        | Cisco Secure Firewall Adaptive Security Appliance - Remote Code Execution - CVE:CVE-2025-20333, CVE:CVE-2025-20362, CVE:CVE-2025-20363 | N/A             | Block      | This is a New Detection |

## 2025-10-06

  
**WAF Release - 2025-10-06**   

This week’s highlights prioritise an emergency Oracle E-Business Suite RCE rule deployed to block active, high-impact exploitation. Also addressed are high-severity Chaos Mesh controller command-injection flaws that enable unauthenticated in-cluster RCE and potential cluster compromise, plus a form-data multipart boundary issue that permits HTTP Parameter Pollution (HPP). Two new generic SQLi detections were added to catch inline-comment obfuscation and information disclosure techniques.

**Key Findings**

* New emergency rule released for Oracle E-Business Suite (CVE-2025-61882) addressing an actively exploited remote code execution vulnerability in core business application modules. Immediate mitigation deployed to protect enterprise workloads.
* Chaos Mesh (CVE-2025-59358,CVE-2025-59359,CVE-2025-59360,CVE-2025-59361): A GraphQL debug endpoint on the Chaos Controller Manager is exposed without authentication; several controller mutations (`cleanTcs`, `killProcesses`, `cleanIptables`) are vulnerable to OS command injection.
* Form-Data (CVE-2025-7783): Attackers who can observe `Math.random()` outputs and control request fields in form-data may exploit this flaw to perform HTTP parameter pollution, leading to request tampering or data manipulation.
* Two new generic SQLi detections added to enhance baseline coverage against inline-comment obfuscation and information disclosure attempts.

**Impact**

* CVE-2025-61882 — Oracle E-Business Suite remote code execution (emergency detection): attacker-controlled input can yield full system compromise, data exfiltration, and operational outage; immediate blocking enforced.
* CVE-2025-59358 / CVE-2025-59359 / CVE-2025-59360 / CVE-2025-59361 — Unauthenticated command-injection in Chaos Mesh controllers allowing remote code execution, cluster compromise, and service disruption (high availability risk).
* CVE-2025-7783 — Predictable multipart boundaries in form-data enabling HTTP Parameter Pollution; results include request tampering, parameter overwrite, and downstream data integrity loss.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                          | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | -------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...8650f52f | 100882         | Chaos Mesh - Missing Authentication - CVE:CVE-2025-59358             | Log             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...2b8c3680 | 100883         | Chaos Mesh - Command Injection - CVE:CVE-2025-59359                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...ef859a04 | 100884         | Chaos Mesh - Command Injection - CVE:CVE-2025-59361                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...961f26a7 | 100886         | Form-Data - Parameter Pollution - CVE:CVE-2025-7783                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...26a4074c | 100888         | Chaos Mesh - Command Injection - CVE:CVE-2025-59360                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...31101b2f | 100916         | Oracle E-Business Suite - Remote Code Execution - CVE:CVE-2025-61882 | N/A             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...29aa43c3 | 100917         | Generic Rules - SQLi - Inline Comment Injection                      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...73c10b6f | 100918         | Generic Rules - SQLi - Information Disclosure                        | N/A             | Disabled   | This is a New Detection |

## 2025-10-03

  
**WAF Release - 2025-10-03**   

**Managed Ruleset Updated**

This update introduces 21 new detections in the Cloudflare Managed Ruleset (all currently set to Disabled mode to preserve remediation logic and allow quick activation if needed). The rules cover a broad spectrum of threats - SQL injection techniques, command and code injection, information disclosure of common files, URL anomalies, and cross-site scripting.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                             | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | --------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...d61fac74 | 100902         | Generic Rules - Command Execution - 2   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...514aeeb8 | 100908         | Generic Rules - Command Execution - 3   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...8d46a6f4 | 100910         | Generic Rules - Command Execution - 4   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1bd0a329 | 100915         | Generic Rules - Command Execution - 5   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...5e51450a | 100899         | Generic Rules - Content-Type Abuse      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...7996012f | 100914         | Generic Rules - Content-Type Injection  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...93209312 | 100911         | Generic Rules - Cookie Header Injection | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...0f373b3f | 100905         | Generic Rules - NoSQL Injection         | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...78a0ed04 | 100913         | Generic Rules - NoSQL Injection - 2     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...5d649624 | 100907         | Generic Rules - Parameter Pollution     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...fd1c674e | 100906         | Generic Rules - PHP Object Injection    | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...34c88168 | 100904         | Generic Rules - Prototype Pollution     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...3ab43f7e | 100897         | Generic Rules - Prototype Pollution 2   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...0d94ee22 | 100903         | Generic Rules - Reverse Shell           | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...d5add8e3 | 100909         | Generic Rules - Reverse Shell - 2       | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...565c78b0 | 100898         | Generic Rules - SSJI NoSQL              | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...12b837a0 | 100896         | Generic Rules - SSRF                    | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...11c4fb00 | 100895         | Generic Rules - Template Injection      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...d3ed0123 | 100895A        | Generic Rules - Template Injection - 2  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...7501a1d9 | 100912         | Generic Rules - XXE                     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...dc55cdb6 | 100900         | Relative Paths - Anomaly Headers        | N/A             | Disabled   | This is a New Detection |

```json
{"@context":"https://schema.org","@type":"TechArticle","@id":"https://developers.cloudflare.com/waf/change-log/changelog/2/#page","headline":"Changelog · Cloudflare Web Application Firewall (WAF) docs","description":"This week's release focuses on improvements to existing detections to enhance coverage.","url":"https://developers.cloudflare.com/waf/change-log/changelog/2/","inLanguage":"en","image":"https://developers.cloudflare.com/core-services-preview.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/waf/","name":"WAF"}},{"@type":"ListItem","position":3,"item":{"@id":"/waf/change-log/","name":"WAF changelog overview"}},{"@type":"ListItem","position":4,"item":{"@id":"/waf/change-log/changelog/","name":"Changelog"}}]}
```
