WAF Release - 2025-11-10

WAF

This week’s release introduces new detections for Prototype Pollution across three common vectors: URI, Body, and Header/Form.

Key Findings

  • These attacks can affect both API and web applications by altering normal behavior or bypassing security controls.

Impact

Exploitation may allow attackers to change internal logic or cause unexpected behavior in applications using JavaScript or Node.js frameworks. Developers should sanitize input keys and avoid merging untrusted data structures.

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
Cloudflare Managed Ruleset N/AGeneric Rules - Prototype Pollution - URILogDisabledThis is a new detection
Cloudflare Managed Ruleset N/AGeneric Rules - Prototype Pollution - BodyLogDisabledThis is a new detection
Cloudflare Managed Ruleset N/AGeneric Rules - Prototype Pollution - Header - FormLogDisabledThis is a new detection