OWASP CRS 4.13.0 released

Software 43091 Published by

The OWASP CRS covers a collection of generic attack detection rules aimed at safeguarding web applications against a range of threats, including those outlined in the OWASP Top Ten, while minimizing false alerts. The recent update, Coreruleset v4.13.0, introduces several important modifications, such as addressing the double URL decode issue, incorporating new features and detections, and eliminating rule 952100 related to the detection of Java Source Code Leakage. Additional modifications encompass the extension of the prototype pollution payload, rectification of false positives related to email, and the resolution of tag inconsistencies on a per-file basis.



Coreruleset Release v4.13.0

The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

What's Changed

:star: Important changes

  • fix(security): fixing double URL decode of REQUEST_URI by  @azurit in  #4047

:new: New features and detections :tada:

  • feat: block header related to CVE-2025-29927 (Next.js) by  @azurit in  #4053
  • feat: added new XSS payloads by  @Xhoenix in  #4055
  • feat: add potential malicious file extensions into tx.restricted_extensions by  @Xhoenix in  #4068
  • feat: add additional files commonly accessed by bots by  @EsadCetiner in  #4069
  • feat: adding .dist and .dpkg-dist into tx.restricted_extensions by  @azurit in  #4057
  • feat: add more default session cookie names by  @Xhoenix in  #4062

:headstone: Rule removals

  • feat: remove rule 952100 for detecting Java Source Code Leakage by  @S0obi in  #4052

:toolbox: Other Changes

  • fix(934130): extend prototype pollution payload by  @Xhoenix in  #4036
  • fix: rule 930110 is not supposed to match bare '..' without (back)slashes by  @azurit in  #4050
  • fix: use boundary to fix false positive with email firstname.dockery@host.tld by  @EsadCetiner in  #4045
  • feat: refresh restricted-upload.data by  @S0obi in  #4046
  • fix: tag inconsistency per file by  @Xhoenix in  #4031
  • fix: added pre-check of unset TX variable by  @airween in  #4066
  • fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by  @EsadCetiner in  #4019

New Contributors

Full Changelog v4.12.0...v4.13.0

Release v4.13.0 · coreruleset/coreruleset

Samba 4.21.5 released

macOS Sequoia 15.4, iOS 18.4, visionOS 2.4, and tvOS 18.4 released

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.org  I ...