Changelog

New updates and improvements at Cloudflare.

New detections released for WAF managed rulesets

Oct 17, 2025

This week we introduced several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications.

Key Findings

New detections added for multiple exploit categories:

SSRF (Server-Side Request Forgery) — new rules targeting both local and cloud metadata abuse patterns (Beta).

SQL Injection (SQLi) — rules for common patterns, sleep/time-based injections, and string/wait function exploitation across headers and URIs.

SSTI (Server-Side Template Injection) — arithmetic-based probe detections introduced across URI, header, and body fields.

Reverse Shell and XXE payloads — enhanced heuristics for command execution and XML external entity misuse.

Prototype Pollution — new Beta rule identifying common JSON payload structures used in object prototype poisoning.

PHP Wrapper Injection and HTTP Parameter Pollution detections — to catch path traversal and multi-parameter manipulation attempts.

Anomaly Header Checks — detecting CRLF injection attempts in header names.

Impact

These updates help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering.

Prototype Pollution and HTTP parameter pollution rules address emerging JavaScript supply-chain exploitation patterns increasingly seen in real-world incidents.

Ruleset	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Managed Ruleset	N/A	Anomaly:Header - name - CR, LF	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Generic Rules - Reverse Shell - Body	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Generic Rules - Reverse Shell - Header	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Generic Rules - Reverse Shell - URI	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Generic Rules - XXE - Body	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Generic Rules - SQLi - Common Patterns - Header URI	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Generic Rules - SQLi - Sleep Function - Header URI	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Generic Rules - SQLi - String Function - Header URI	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Generic Rules - SQLi - WaitFor Function - Header URI	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	SSRF - Local - Beta	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	SSRF - Local - 2 - Beta	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	SSRF - Cloud - Beta	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	SSRF - Cloud - 2 - Beta	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	SSTI - Arithmetic Probe - URI	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	SSTI - Arithmetic Probe - Header	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	SSTI - Arithmetic Probe - Body	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	PHP Wrapper Injection	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	PHP Wrapper Injection	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	HTTP parameter pollution	N/A	Disabled	This is a New Detection
Cloudflare Managed Ruleset	N/A	Prototype Pollution - Common Payloads - Beta	N/A	Disabled	This is a New Detection

Was this helpful?

Community
X
Discord
YouTube
GitHub