General updates
WAF Release - 2026-02-16
This week’s release introduces new detections for CVE-2025-68645 and CVE-2025-31125.
Key Findings
- CVE-2025-68645: A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 allows unauthenticated remote attackers to craft requests to the
/h/restendpoint, improperly influence internal dispatching, and include arbitrary files from the WebRoot directory. - CVE-2025-31125: Vite, the JavaScript frontend tooling framework, exposes content of non-allowed files via
?inline&importwhen its development server is network-exposed, enabling unauthorized attackers to read arbitrary files and potentially leak sensitive information.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Zimbra - Local File Inclusion - CVE:CVE-2025-68645 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Vite - WASM Import Path Traversal - CVE:CVE-2025-31125 | Log | Block | This is a new detection. |
WAF Release - 2026-02-10
This week’s release changes the rule action from BLOCK to Disabled for Anomaly:Header:User-Agent - Fake Google Bot.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Anomaly:Header:User-Agent - Fake Google Bot | Enabled | Disabled | We are changing the action for this rule from BLOCK to Disabled |
WAF Release - 2026-02-02
This week’s release introduces new detections for CVE-2025-64459 and CVE-2025-24893.
Key Findings
- CVE-2025-64459: Django versions prior to 5.1.14, 5.2.8, and 4.2.26 are vulnerable to SQL injection via crafted dictionaries passed to QuerySet methods and the
Q()class. - CVE-2025-24893: XWiki allows unauthenticated remote code execution through crafted requests to the SolrSearch endpoint, affecting the entire installation.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | XWiki - Remote Code Execution - CVE:CVE-2025-24893 2 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Django SQLI - CVE:CVE-2025-64459 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | NoSQL, MongoDB - SQLi - Comparison - 2 | Block | Block | Rule metadata description refined. Detection unchanged. |
WAF Release - 2026-01-26
This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗).
Key Findings
- CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗) affects
react-server-dom-parcel,react-server-dom-turbopack, andreact-server-dom-webpackpackages. - Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | React Server - DOS - CVE:CVE-2026-23864 - 1 | N/A | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | React Server - DOS - CVE:CVE-2026-23864 - 2 | N/A | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | React Server - DOS - CVE:CVE-2026-23864 - 3 | N/A | Block | This is a new detection. |
WAF Release - 2026-01-20
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL injection.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | SQLi - Comment - Beta | Log | Block | This rule is merged into the original rule "SQLi - Comment" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Comparison - Beta | Log | Block | This rule is merged into the original rule "SQLi - Comparison" (ID: |
WAF Release - 2026-01-15
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | SQLi - String Function - Beta | Log | Block | This rule is merged into the original rule "SQLi - String Function" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Sub Query - Beta | Log | Block | This rule is merged into the original rule "SQLi - Sub Query" (ID: |
WAF Release - 2026-01-12
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR MAKE_SET/ELT - Beta | Log | Block | This rule is merged into the original rule "SQLi - AND/OR MAKE_SET/ELT" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Benchmark Function - Beta | Log | Block | This rule is merged into the original rule "SQLi - Benchmark Function" (ID: |
WAF Release - 2025-12-18
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Atlassian Confluence - Code Injection - CVE:CVE-2021-26084 - Beta | Log | Block | This rule is merged into the original rule "Atlassian Confluence - Code Injection - CVE:CVE-2021-26084" (ID: | |
| Cloudflare Managed Ruleset | N/A | PostgreSQL - SQLi - Copy - Beta | Log | Block | This rule is merged into the original rule "PostgreSQL - SQLi - COPY" (ID: | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - Header | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Tautology - URI - Beta | Log | Block | This rule is merged into the original rule "SQLi - Tautology - URI" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - WaitFor Function - Beta | Log | Block | This rule is merged into the original rule "SQLi - WaitFor Function" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR Digit Operator Digit 2 - Beta | Log | Block | This rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Equation 2 - Beta | Log | Block | This rule is merged into the original rule "SQLi - Equation" (ID: |
WAF Release - 2025-12-11 - Emergency
This emergency release introduces rules for CVE-2025-55183 and CVE-2025-55184, targeting server-side function exposure and resource-exhaustion patterns, respectively.
Key Findings
Added coverage for Leaking Server Functions (CVE-2025-55183) and React Function DoS detection (CVE-2025-55184).
Impact
These updates strengthen protection for server-function abuse techniques (CVE-2025-55183, CVE-2025-55184) that may expose internal logic or disrupt application availability.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | React - Leaking Server Functions - CVE:CVE-2025-55183 | N/A | Block | This was labeled as Generic - Server Function Source Code Exposure. | |
| Cloudflare Free Ruleset | N/A | React - Leaking Server Functions - CVE:CVE-2025-55183 | N/A | Block | This was labeled as Generic - Server Function Source Code Exposure. | |
| Cloudflare Managed Ruleset | N/A | React - DoS - CVE:CVE-2025-55184 | N/A | Disabled | This was labeled as Generic – Server Function Resource Exhaustion. |
WAF Release - 2025-12-10 - Emergency
This additional week's emergency release introduces improvements to our existing rule for React – Remote Code Execution – CVE-2025-55182 - 2, along with two new generic detections covering server-side function exposure and resource-exhaustion patterns.
Key Findings
Enhanced detection logic for React – RCE – CVE-2025-55182, added Generic – Server Function Source Code Exposure, and added Generic – Server Function Resource Exhaustion.
Impact
These updates strengthen protection against React RCE exploitation attempts and broaden coverage for common server-function abuse techniques that may expose internal logic or disrupt application availability.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | React - Remote Code Execution - CVE:CVE-2025-55182 - 2 | N/A | Block | This is an improved detection. | |
| Cloudflare Free Ruleset | N/A | React - Remote Code Execution - CVE:CVE-2025-55182 - 2 | N/A | Block | This is an improved detection. | |
| Cloudflare Managed Ruleset | N/A | Generic - Server Function Source Code Exposure | N/A | Block | This is a new detection. | |
| Cloudflare Free Ruleset | N/A | Generic - Server Function Source Code Exposure | N/A | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic - Server Function Resource Exhaustion | N/A | Disabled | This is a new detection. |
Increased WAF payload limit for all plans
Cloudflare WAF now inspects request-payload size of up to 1 MB across all plans to enhance our detection capabilities for React RCE (CVE-2025-55182).
Key Findings
React payloads commonly have a default maximum size of 1 MB. Cloudflare WAF previously inspected up to 128 KB on Enterprise plans, with even lower limits on other plans.
Update: We later reinstated the maximum request-payload size the Cloudflare WAF inspects. Refer to Updating the WAF maximum payload values for details.
Updating the WAF maximum payload values
We are reinstating the maximum request-payload size the Cloudflare WAF inspects, with WAF on Enterprise zones inspecting up to 128 KB.
Key Findings
On December 5, 2025, we initially attempted to increase the maximum WAF payload limit to 1 MB across all plans. However, an automatic rollout for all customers proved impractical because the increase led to a surge in false positives for existing managed rules.
This issue was particularly notable within the Cloudflare Managed Ruleset and the Cloudflare OWASP Core Ruleset, impacting customer traffic.
Impact
Customers on paid plans can increase the limit to 1 MB for any of their zones by contacting Cloudflare Support. Free zones are already protected up to 1 MB and do not require any action.
WAF Release - 2025-12-03 - Emergency
The WAF rule deployed yesterday to block unsafe deserialization-based RCE has been updated. The rule description now reads “React – RCE – CVE-2025-55182”, explicitly mapping to the recently disclosed React Server Components vulnerability. Detection logic remains unchanged.
Key Findings
Rule description updated to reference React – RCE – CVE-2025-55182 while retaining existing unsafe-deserialization detection.
Impact
Improved classification and traceability with no change to coverage against remote code execution attempts.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | React - RCE - CVE:CVE-2025-55182 | N/A | Block | Rule metadata description changed. Detection unchanged. | |
| Cloudflare Free Ruleset | N/A | React - RCE - CVE:CVE-2025-55182 | N/A | Block | Rule metadata description changed. Detection unchanged. |
WAF Release - 2025-12-02 - Emergency
This week's emergency release introduces a new rule to block a critical RCE vulnerability in widely-used web frameworks through unsafe deserialization patterns.
Key Findings
New WAF rule deployed for RCE Generic Framework to block malicious POST requests containing unsafe deserialization patterns. If successfully exploited, this vulnerability allows attackers with network access via HTTP to execute arbitrary code remotely.
Impact
- Successful exploitation allows unauthenticated attackers to execute arbitrary code remotely through crafted serialization payloads, enabling complete system compromise, data exfiltration, and potential lateral movement within affected environments.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | RCE Generic - Framework | N/A | Block | This is a new detection. | |
| Cloudflare Free Ruleset | N/A | RCE Generic - Framework | N/A | Block | This is a new detection. |
WAF Release - 2025-12-01
This week’s release introduces new detections for remote code execution attempts targeting Monsta FTP (CVE-2025-34299), alongside improvements to an existing XSS detection to enhance coverage.
Key Findings
- CVE-2025-34299 is a critical remote code execution flaw in Monsta FTP, arising from improper handling of user-supplied parameters within the file-handling interface. Certain builds allow crafted requests to bypass sanitization and reach backend PHP functions that execute arbitrary commands. Attackers can send manipulated parameters through the web panel to trigger command execution within the application’s runtime environment.
Impact
If exploited, the vulnerability enables full remote command execution on the underlying server, allowing takeover of the hosting environment, unauthorized file access, and potential lateral movement. As the flaw can be triggered without authentication on exposed Monsta FTP instances, it represents a severe risk for publicly reachable deployments.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Monsta FTP - Remote Code Execution - CVE:CVE-2025-34299 | Log | Block | This is a new detection | |
| Cloudflare Managed Ruleset | N/A | XSS - JS Context Escape - Beta | Log | Block | This rule is merged into the original rule "XSS - JS Context Escape" (ID: |
View more entries >