|
| 1 | +--- |
| 2 | +title: "WAF Release - 2025-09-29" |
| 3 | +description: Cloudflare WAF managed rulesets 2025-09-29 release |
| 4 | +date: 2025-09-29 |
| 5 | +--- |
| 6 | + |
| 7 | +import { RuleID } from "~/components"; |
| 8 | + |
| 9 | +This week emphasizes two critical vendor-specific vulnerabilities: a full elevation-of-privilege in Microsoft Azure Networking (CVE-2025-54914) and a server-side template injection (SSTI) leading to remote code execution (RCE) in Skyvern (CVE-2025-49619). These are complemented by enhancements in generic detections (SQLi, SSRF) to improve baseline coverage. |
| 10 | + |
| 11 | +**Key Findings** |
| 12 | + |
| 13 | + |
| 14 | +* Azure (CVE-2025-54914): Vulnerability in Azure Networking allowing elevation of privileges. |
| 15 | + |
| 16 | +* Skyvern (CVE-2025-49619): Skyvern ≤ 0.1.85 has a server-side template injection (SSTI) vulnerability in its Prompt field (workflow blocks) via Jinja2. Authenticated users with low privileges can get remote code execution (blind). |
| 17 | + |
| 18 | +* Generic SQLi / SSRF improvements: Expanded rule coverage to detect obfuscated SQL injection patterns and SSRF across host, local, and cloud contexts. |
| 19 | + |
| 20 | +**Impact** |
| 21 | + |
| 22 | +These vulnerabilities allow attackers to escalate privileges or execute code under conditions where previously they could not: |
| 23 | + |
| 24 | +* Azure CVE-2025-54914 enables an attacker from the network with no credentials to gain high-level access within Azure Networking; could lead to full compromise of networking components. |
| 25 | + |
| 26 | +* Skyvern CVE-2025-49619 allows authenticated users with minimal privilege to exploit SSTI for remote code execution, undermining isolation of workflow components. |
| 27 | + |
| 28 | +* The improvements for SQLi and SSRF reduce risk from common injection and request-based attacks. |
| 29 | + |
| 30 | + |
| 31 | +<table style="width: 100%"> |
| 32 | + <thead> |
| 33 | + <tr> |
| 34 | + <th>Ruleset</th> |
| 35 | + <th>Rule ID</th> |
| 36 | + <th>Legacy Rule ID</th> |
| 37 | + <th>Description</th> |
| 38 | + <th>Previous Action</th> |
| 39 | + <th>New Action</th> |
| 40 | + <th>Comments</th> |
| 41 | + </tr> |
| 42 | + </thead> |
| 43 | + <tbody> |
| 44 | + <tr> |
| 45 | + <td>Cloudflare Managed Ruleset</td> |
| 46 | + <td> |
| 47 | + <RuleID id="6fe90532af50427484a5275c8c2e30fb" /> |
| 48 | + </td> |
| 49 | + <td>100717</td> |
| 50 | + <td>SimpleHelp - Auth Bypass - CVE:CVE-2024-57727</td> |
| 51 | + <td>Log</td> |
| 52 | + <td>Block</td> |
| 53 | + <td>This rule is merged to 100717 in legacy WAF and <RuleID id="498fcd81a62a4b5ca943e2de958094d3" /> in new WAF</td> |
| 54 | + </tr> |
| 55 | + <tr> |
| 56 | + <td>Cloudflare Managed Ruleset</td> |
| 57 | + <td> |
| 58 | + <RuleID id="013ef5de3f074fd5a43cdd70d58b886b" /> |
| 59 | + </td> |
| 60 | + <td>100775</td> |
| 61 | + <td>Flowise Cloud - Information Disclosure - CVE:CVE-2025-58434</td> |
| 62 | + <td>Log</td> |
| 63 | + <td>Block</td> |
| 64 | + <td>This is a New Detection</td> |
| 65 | + </tr> |
| 66 | + <tr> |
| 67 | + <td>Cloudflare Managed Ruleset</td> |
| 68 | + <td> |
| 69 | + <RuleID id="68fc5c086ccb4b40a35a63b19bce1ff4" /> |
| 70 | + </td> |
| 71 | + <td>100881</td> |
| 72 | + <td>WordPress:Plugin:Ditty - SSRF - CVE:CVE-2025-8085</td> |
| 73 | + <td>Log</td> |
| 74 | + <td>Block</td> |
| 75 | + <td>This is a New Detection</td> |
| 76 | + </tr> |
| 77 | + <tr> |
| 78 | + <td>Cloudflare Managed Ruleset</td> |
| 79 | + <td> |
| 80 | + <RuleID id="9e1a56e6b3bc49b187bf6e35ddc329dd" /> |
| 81 | + </td> |
| 82 | + <td>100887</td> |
| 83 | + <td>Vite - Directory Traversal - CVE:CVE-2025-30208</td> |
| 84 | + <td>Log</td> |
| 85 | + <td>Block</td> |
| 86 | + <td>This is a New Detection</td> |
| 87 | + </tr> |
| 88 | + </tbody> |
| 89 | +</table> |
0 commit comments