2025-09-22 waf release note

Author: ay-cf

src/content/changelog/waf/2025-09-22-waf-release.mdx

@@ -0,0 +1,133 @@
+---
+title: "WAF Release - 2025-09-22"
+description: Cloudflare WAF managed rulesets 2025-09-22 release
+date: 2025-09-22
+---
+
+import { RuleID } from "~/components";
+
+This week emphasizes two critical vendor-specific vulnerabilities: a full elevation-of-privilege in Microsoft Azure Networking (CVE-2025-54914) and a server-side template injection (SSTI) leading to remote code execution (RCE) in Skyvern (CVE-2025-49619). These are complemented by enhancements in generic detections (SQLi, SSRF) to improve baseline coverage.
+
+**Key Findings**
+
+
+* Azure (CVE-2025-54914): Vulnerability in Azure Networking allowing elevation of privileges. 
+
+* Skyvern (CVE-2025-49619): Skyvern ≤ 0.1.85 has a server-side template injection (SSTI) vulnerability in its Prompt field (workflow blocks) via Jinja2. Authenticated users with low privileges can get remote code execution (blind). 
+
+* Generic SQLi / SSRF improvements: Expanded rule coverage to detect obfuscated SQL injection patterns and SSRF across host, local, and cloud contexts.
+
+**Impact**
+
+These vulnerabilities allow attackers to escalate privileges or execute code under conditions where previously they could not:
+
+* Azure CVE-2025-54914 enables an attacker from the network with no credentials to gain high-level access within Azure Networking; could lead to full compromise of networking components. 
+
+* Skyvern CVE-2025-49619 allows authenticated users with minimal privilege to exploit SSTI for remote code execution, undermining isolation of workflow components. 
+
+* The improvements for SQLi and SSRF reduce risk from common injection and request-based attacks.
+
+
+<table style="width: 100%">
+  <thead>
+    <tr>
+      <th>Ruleset</th>
+      <th>Rule ID</th>
+      <th>Legacy Rule ID</th>
+      <th>Description</th>
+      <th>Previous Action</th>
+      <th>New Action</th>
+      <th>Comments</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="c36a425ae0c94789a9bc34f06a135cbf" />
+      </td>
+      <td>100146</td>
+      <td>SSRF - Host - 2</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="dfa84b0aed5a4b45b953a36a57035abf" />
+      </td>
+      <td>100146B</td>
+      <td>SSRF - Local - 2</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="276073e60c7a4b4d91faba1fbbe18d50" />
+      </td>
+      <td>100146C</td>
+      <td>SSRF - Cloud - 2</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="78c856218f2d40f4b5988c8c956c1961" />
+      </td>
+      <td>100714</td>
+      <td>Azure - Auth Bypass - CVE:CVE-2025-54914</td>
+      <td>Log</td>
+      <td>block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="9f1c8d4cbf3848dbb940771bc5ced231" />
+      </td>
+      <td>100758</td>
+      <td>Skyvern - Remote Code Execution - CVE:CVE-2025-49619</td>
+      <td>Log</td>
+      <td>block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="6be7e7829f3b43c688e1ac4284a619a1" />
+      </td>
+      <td>100773</td>
+      <td>Next.js - SSRF</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="0cc3f50216bf4b448210bcc3983ff2dd" />
+      </td>
+      <td>100774</td>
+      <td>Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="53bfaeb311a049e3877fa15c0380a1a6" />
+      </td>
+      <td>100800_BETA</td>
+      <td>SQLi - Obfuscated Boolean - Beta</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This rule has been merged into the original rule (ID: <RuleID id="7663ea44178441a0b3205c145563445f" /></td>
+    </tr>
+  </tbody>
+</table>

src/content/changelog/waf/scheduled-waf-release.mdx

@@ -1,7 +1,7 @@
 ---
-title: WAF Release - Scheduled changes for 2025-09-22
-description: WAF managed ruleset changes scheduled for 2025-09-22
-date: 2025-09-15
+title: WAF Release - Scheduled changes for 2025-09-29
+description: WAF managed ruleset changes scheduled for 2025-09-29
+date: 2025-09-22
 scheduled: true
 ---
 
@@ -20,93 +20,38 @@ import { RuleID } from "~/components";
     </tr>
   </thead>
   <tbody>
-    <tr>
-      <td>2025-09-15</td>
+   <tr>
       <td>2025-09-22</td>
+      <td>2025-09-29</td>
       <td>Log</td>
-      <td>100800_BETA</td>
+      <td>100717</td>
       <td>
-        <RuleID id="199cce9ab21e40bcb535f01b2ee2085f" />
+        <RuleID id="6fe90532af50427484a5275c8c2e30fb" />
       </td>
-      <td>SQLi - Obfuscated Boolean - Beta</td>
-      <td>This rule will be merged to 100800 in old WAF and 7663ea44178441a0b3205c145563445f in new WAF</td>
-    </tr>
-    <tr>
-      <td>2025-09-15</td>
+      <td>SimpleHelp - Auth Bypass - CVE:CVE-2024-57727 - Beta</td>
+      <td>This rule will be merged to (ID: <RuleID id="498fcd81a62a4b5ca943e2de958094d3" /></td>
+   </tr>
+   <tr>
       <td>2025-09-22</td>
+      <td>2025-09-29</td>
       <td>Log</td>
-      <td>100146C</td>
+      <td>100881</td>
       <td>
-        <RuleID id="276073e60c7a4b4d91faba1fbbe18d50" />
+        <RuleID id="68fc5c086ccb4b40a35a63b19bce1ff4" />
       </td>
-      <td>SSRF - Cloud - 2</td>
+      <td>WordPress:Plugin:Ditty - SSRF - CVE:CVE-2025-8085</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-09-15</td>
       <td>2025-09-22</td>
+      <td>2025-09-29</td>
       <td>Log</td>
-      <td>100146</td>
+      <td>100887</td>
       <td>
-        <RuleID id="c36a425ae0c94789a9bc34f06a135cbf" />
+        <RuleID id="9e1a56e6b3bc49b187bf6e35ddc329dd" />
       </td>
-      <td>SSRF - Host - 2</td>
+      <td>Vite - Directory Traversal - CVE:CVE-2025-30208</td>
       <td>This is a New Detection</td>
     </tr>
-     <tr>
-       <td>2025-09-15</td>
-       <td>2025-09-22</td>
-       <td>Log</td>
-       <td>100146B</td>
-       <td>
-         <RuleID id="dfa84b0aed5a4b45b953a36a57035abf" />
-       </td>
-       <td>SSRF - Local - 2</td>
-       <td>This is a New Detection</td>
-     </tr>
-     <tr>
-       <td>2025-09-15</td>
-       <td>2025-09-22</td>
-       <td>Log</td>
-       <td>100773</td>
-       <td>
-         <RuleID id="6be7e7829f3b43c688e1ac4284a619a1" />
-       </td>
-       <td>Next.js - SSRF</td>
-       <td>This is a New Detection</td>
-     </tr>
-     <tr>
-       <td>2025-09-15</td>
-       <td>2025-09-22</td>
-       <td>Log</td>
-       <td>100758</td>
-       <td>
-         <RuleID id="9f1c8d4cbf3848dbb940771bc5ced231" />
-       </td>
-       <td>Skyvern - Remote Code Execution - CVE:CVE-2025-49619</td>
-       <td>This is a New Detection</td>
-     </tr>
-		 <tr>
-		 	 <td>2025-09-15</td>
-			 <td>2025-09-22</td>
-			 <td>Log</td>
-			 <td>100714</td>
-			 <td>
-				 <RuleID id="78c856218f2d40f4b5988c8c956c1961" />
-			 </td>
-			 <td>Azure - Auth Bypass - CVE:CVE-2025-54914</td>
-			 <td>This is a New Detection</td>
-		 </tr>
-		 <tr>
-		 	 <td>2025-09-15</td>
-			 <td>2025-09-22</td>
-			 <td>Log</td>
-			 <td>100774</td>
-			 <td>
-				 <RuleID id="0cc3f50216bf4b448210bcc3983ff2dd" />
-			 </td>
-			 <td>Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236</td>
-			 <td>This is a New Detection</td>
-		 </tr>
   </tbody>
 </table>