From a3b849ce00cfba56a68b0bd5da2f85ba736e6b59 Mon Sep 17 00:00:00 2001
From: vaibhav <vaibhav@cloudflare.com>
Date: Fri, 17 Oct 2025 11:51:34 -0700
Subject: [PATCH 1/4] Release-Oct-17-2025: Emergency

---
 .../waf/2025-10-17-emergency-waf-release.mdx  | 229 ++++++++++++++++++
 1 file changed, 229 insertions(+)
 create mode 100644 src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx

diff --git a/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
new file mode 100644
index 000000000000000..aafb84195a1f463
--- /dev/null
+++ b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
@@ -0,0 +1,229 @@
+---
+title: "WAF Release - 2025-10-17 - Emergency"
+description: Cloudflare WAF managed rulesets 2025-10-17 emergency release
+date: 2025-10-17
+---
+
+import { RuleID } from "~/components";
+
+This week’s highlights This week introduces several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications.
+
+**Key Findings**
+
+New detections added for multiple exploit categories:
+
+SSRF (Server-Side Request Forgery) — new rules targeting both local and cloud metadata abuse patterns (Beta).
+
+SQL Injection (SQLi) — rules for common patterns, sleep/time-based injections, and string/wait function exploitation across headers and URIs.
+
+SSTI (Server-Side Template Injection) — arithmetic-based probe detections introduced across URI, header, and body fields.
+
+Reverse Shell and XXE payloads — enhanced heuristics for command execution and XML external entity misuse.
+
+Prototype Pollution — new Beta rule identifying common JSON payload structures used in object prototype poisoning.
+
+PHP Wrapper Injection and HTTP Parameter Pollution detections — to catch path traversal and multi-parameter manipulation attempts.
+
+Anomaly Header Checks — detecting CRLF injection attempts in header names.
+
+**Impact**
+
+They help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering.
+
+Prototype Pollution and HTTP parameter pollution rules address emerging JavaScript supply-chain exploitation patterns increasingly seen in real-world incidents.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="72f0ff933fb0492eb71cda50589f2a1d" /></td>
+			<td>N/A</td>
+			<td>Anomaly:Header - name - CR, LF</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="5d0377e4435f467488614170132fab7e" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="54e32f7f802c4a699182e8921a027008" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - Header</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="7cbda8dbafbc465d9b64a8f2958d0486" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="b9f3420674cf481da32333dc8e0cf7ad" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - XXE - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="ad55483512f0440b81426acdbf8aab5e" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - Common Patterns - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="849c0618d1674f1c92ba6f9b2e466337" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - Sleep Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="1b4db4c4bd0649c095c27c6cb686ab47" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - String Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="fa2055b84af94ba4b925f834b0633709" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - WaitFor Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="158177dec2504acdba1f2da201a076eb" /></td>
+			<td>N/A</td>
+			<td>SSRF - Local - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="98bfd6bb46074d5b8d1c4b39743a63ec" /></td>
+			<td>N/A</td>
+			<td>SSRF - Local - 2 - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="54e1733b10da4a599e06c6fbc2e84e2d" /></td>
+			<td>N/A</td>
+			<td>SSRF - Cloud - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="ecd26d61a75e46f6a4449a06ab8af26f" /></td>
+			<td>N/A</td>
+			<td>SSRF - Cloud - 2 - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="c16f4e133c4541f293142d02e6e8dc5b" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="f4fd9904e7624666b8c49cd62550d794" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - Header</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="5c0875604f774c36a4f9b69c659d12a6" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="fae6fa37ae9249d58628e54b1a3e521e" /></td>
+			<td>N/A</td>
+			<td>PHP Wrapper Injection</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="9c02e585db34440da620eb668f76bd74" /></td>
+			<td>N/A</td>
+			<td>PHP Wrapper Injection</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="cb67fe56a84747b8b64277dc091e296d" /></td>
+			<td>N/A</td>
+			<td>HTTP parameter pollution</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="443b54d984944cd69043805ee34214ef" /></td>
+			<td>N/A</td>
+			<td>Prototype Pollution - Common Payloads - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+	</tbody>
+</table>
\ No newline at end of file

From 27226793dc42fcfd9465d42347a384df784a800c Mon Sep 17 00:00:00 2001
From: "Haley C." <87731946+haleycode@users.noreply.github.com>
Date: Fri, 17 Oct 2025 15:16:46 -0500
Subject: [PATCH 2/4] Update
 src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx

---
 src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
index aafb84195a1f463..99ce77818b2b56d 100644
--- a/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
+++ b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
@@ -28,7 +28,7 @@ Anomaly Header Checks — detecting CRLF injection attempts in header names.
 
 **Impact**
 
-They help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering.
+These updates help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering.
 
 Prototype Pollution and HTTP parameter pollution rules address emerging JavaScript supply-chain exploitation patterns increasingly seen in real-world incidents.
 

From e7d863d8412493bc4de6222bb3084a9cee747b06 Mon Sep 17 00:00:00 2001
From: "Haley C." <87731946+haleycode@users.noreply.github.com>
Date: Fri, 17 Oct 2025 15:16:56 -0500
Subject: [PATCH 3/4] Update
 src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx

---
 .../changelog/waf/2025-10-17-emergency-waf-release.mdx        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
index 99ce77818b2b56d..99e3b3b422c3f0e 100644
--- a/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
+++ b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
@@ -1,6 +1,6 @@
 ---
-title: "WAF Release - 2025-10-17 - Emergency"
-description: Cloudflare WAF managed rulesets 2025-10-17 emergency release
+title: New detections released for WAF managed rulesets
+description: New Cloudflare WAF managed rulesets release to improve protection against attacker-controlled payloads
 date: 2025-10-17
 ---
 

From 7333a0420f145507a043de749683894fda9fad03 Mon Sep 17 00:00:00 2001
From: "Haley C." <87731946+haleycode@users.noreply.github.com>
Date: Fri, 17 Oct 2025 15:17:03 -0500
Subject: [PATCH 4/4] Update
 src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx

---
 src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
index 99e3b3b422c3f0e..3001df61385c0d0 100644
--- a/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
+++ b/src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx
@@ -6,7 +6,7 @@ date: 2025-10-17
 
 import { RuleID } from "~/components";
 
-This week’s highlights This week introduces several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications.
+This week we introduced several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications.
 
 **Key Findings**