Release-Oct-17-2025: Emergency (#25908)

vs-mg · haleycode · web-flow · commit 85b050d0e003 · 2025-10-17T20:30:56.000Z
* Release-Oct-17-2025: Emergency

* Update src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx

* Update src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx

* Update src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx

---------

Co-authored-by: Haley C. &lt;87731946+haleycode@users.noreply.github.com&gt;
diff --git a/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
@@ -0,0 +1,229 @@
+---
+title: New detections released for WAF managed rulesets
+description: New Cloudflare WAF managed rulesets release to improve protection against attacker-controlled payloads
+date: 2025-10-17
+---
+
+import { RuleID } from "~/components";
+
+This week we introduced several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications.
+
+**Key Findings**
+
+New detections added for multiple exploit categories:
+
+SSRF (Server-Side Request Forgery) — new rules targeting both local and cloud metadata abuse patterns (Beta).
+
+SQL Injection (SQLi) — rules for common patterns, sleep/time-based injections, and string/wait function exploitation across headers and URIs.
+
+SSTI (Server-Side Template Injection) — arithmetic-based probe detections introduced across URI, header, and body fields.
+
+Reverse Shell and XXE payloads — enhanced heuristics for command execution and XML external entity misuse.
+
+Prototype Pollution — new Beta rule identifying common JSON payload structures used in object prototype poisoning.
+
+PHP Wrapper Injection and HTTP Parameter Pollution detections — to catch path traversal and multi-parameter manipulation attempts.
+
+Anomaly Header Checks — detecting CRLF injection attempts in header names.
+
+**Impact**
+
+These updates help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering.
+
+Prototype Pollution and HTTP parameter pollution rules address emerging JavaScript supply-chain exploitation patterns increasingly seen in real-world incidents.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="72f0ff933fb0492eb71cda50589f2a1d" /></td>
+			<td>N/A</td>
+			<td>Anomaly:Header - name - CR, LF</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="5d0377e4435f467488614170132fab7e" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="54e32f7f802c4a699182e8921a027008" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - Header</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="7cbda8dbafbc465d9b64a8f2958d0486" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="b9f3420674cf481da32333dc8e0cf7ad" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - XXE - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="ad55483512f0440b81426acdbf8aab5e" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - Common Patterns - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="849c0618d1674f1c92ba6f9b2e466337" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - Sleep Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="1b4db4c4bd0649c095c27c6cb686ab47" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - String Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="fa2055b84af94ba4b925f834b0633709" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - WaitFor Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="158177dec2504acdba1f2da201a076eb" /></td>
+			<td>N/A</td>
+			<td>SSRF - Local - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="98bfd6bb46074d5b8d1c4b39743a63ec" /></td>
+			<td>N/A</td>
+			<td>SSRF - Local - 2 - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="54e1733b10da4a599e06c6fbc2e84e2d" /></td>
+			<td>N/A</td>
+			<td>SSRF - Cloud - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="ecd26d61a75e46f6a4449a06ab8af26f" /></td>
+			<td>N/A</td>
+			<td>SSRF - Cloud - 2 - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="c16f4e133c4541f293142d02e6e8dc5b" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="f4fd9904e7624666b8c49cd62550d794" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - Header</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="5c0875604f774c36a4f9b69c659d12a6" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="fae6fa37ae9249d58628e54b1a3e521e" /></td>
+			<td>N/A</td>
+			<td>PHP Wrapper Injection</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="9c02e585db34440da620eb668f76bd74" /></td>
+			<td>N/A</td>
+			<td>PHP Wrapper Injection</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="cb67fe56a84747b8b64277dc091e296d" /></td>
+			<td>N/A</td>
+			<td>HTTP parameter pollution</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="443b54d984944cd69043805ee34214ef" /></td>
+			<td>N/A</td>
+			<td>Prototype Pollution - Common Payloads - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+	</tbody>
+</table>
