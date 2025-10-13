Changelog
New updates and improvements at Cloudflare.
WAF Release - 2025-10-13
This week’s highlights include a new JinJava rule targeting a sandbox-bypass flaw that could allow malicious template input to escape execution controls. The rule improves detection for unsafe template rendering paths.
Key Findings
New WAF rule deployed for JinJava (CVE-2025-59340) to block a sandbox bypass in the template engine that permits attacker-controlled type construction and arbitrary class instantiation; in vulnerable environments this can escalate to remote code execution and full server compromise.
Impact
- CVE-2025-59340 — Exploitation enables attacker-supplied type descriptors / Jackson
ObjectMapperabuse, allowing arbitrary class loading, file/URL access (LFI/SSRF primitives) and, with suitable gadget chains, potential remote code execution and system compromise.
|Ruleset
|Rule ID
|Legacy Rule ID
|Description
|Previous Action
|New Action
|Comments
|Cloudflare Managed Ruleset
|100892
|JinJava - SSTI - CVE:CVE-2025-59340
|Log
|Block
|This is a New Detection
