Releasebot
Create account

Application Security Release Notes

Follow

Last updated: Nov 18, 2025

RSS Email Slack API
  • Nov 17, 2025
    • Parsed from source:
      Nov 17, 2025
    • Detected by Releasebot:
      Nov 18, 2025

    Application Security by Cloudflare

    WAF Release - 2025-11-17

    This week’s update strengthens detection signatures for DELMIA Apriso to block CVE-2025-6205 exploitation. Enhanced logic reduces risk of unauthenticated access and arbitrary account creation via crafted requests. The security update is now shipping, delivering improved protection.

    This week highlights enhancements to detection signatures improving coverage for vulnerabilities in DELMIA Apriso, linked to CVE-2025-6205.

    Key Findings

    This vulnerability allows unauthenticated attackers to gain privileged access to the application. The latest update provides enhanced detection logic for resilient protection against exploitation attempts.

    Impact

    ELmia Apriso (CVE-2025-6205): Exploitation could allow an unauthenticated remote attacker to bypass security checks by sending specially crafted requests to the application's message processor. This enables the creation of arbitrary employee accounts, which can be leveraged to modify system configurations and achieve full system compromise.

    Original source Report a problem
  • Nov 10, 2025
    • Parsed from source:
      Nov 10, 2025
    • Detected by Releasebot:
      Nov 11, 2025

    Application Security by Cloudflare

    WAF Release - 2025-11-10

    This week’s release introduces new detections for Prototype Pollution across three common vectors: URI, Body, and Header/Form.

    Key Findings

    These attacks can affect both API and web applications by altering normal behavior or bypassing security controls.

    Impact

    Exploitation may allow attackers to change internal logic or cause unexpected behavior in applications using JavaScript or Node.js frameworks. Developers should sanitize input keys and avoid merging untrusted data structures.

    Original source Report a problem
  • Nov 5, 2025
    • Parsed from source:
      Nov 5, 2025
    • Detected by Releasebot:
      Nov 7, 2025

    Application Security by Cloudflare

    WAF Release - 2025-11-05 - Emergency

    Emergency release adds a new detection signature to cover a critical React Native Metro Development Server vulnerability CVE-2025-11953. Unauthenticated requests can trigger remote code execution; patch and restrict network exposure to stay protected. Strengthened defenses help prevent compromise of dev workstations and CI.

    This week’s emergency release introduces a new detection signature that enhances coverage for a critical vulnerability in the React Native Metro Development Server, tracked as CVE-2025-11953.

    Key Findings

    The Metro Development Server exposes an HTTP endpoint that is vulnerable to OS command injection (CWE-78). An unauthenticated network attacker can send a crafted request to this endpoint and execute arbitrary commands on the host running Metro. The vulnerability affects Metro/cli-server-api builds used by React Native Community CLI in pre-patch development releases.

    Impact

    Successful exploitation of CVE-2025-11953 may result in remote command execution on developer workstations or CI/build agents, leading to credential and secret exposure, source tampering, and potential lateral movement into internal networks. Administrators and developers are strongly advised to apply the vendor's patches and restrict Metro’s network exposure to reduce this risk.

    Original source Report a problem
  • Nov 3, 2025
    • Parsed from source:
      Nov 3, 2025
    • Detected by Releasebot:
      Oct 28, 2025
    • Modified by Releasebot:
      Nov 4, 2025

    Application Security by Cloudflare

    WAF Release - 2025-11-03

    Security update enhances detection for CVE-2025-54236 in Adobe Commerce and Magento Open Source. New detection logic blocks unauthenticated REST API access and reduces risk of session hijack and remote code execution. Admins should apply patches promptly.

    This week highlights enhancements to detection signatures improving coverage for vulnerabilities in Adobe Commerce and Magento Open Source, linked to CVE-2025-54236.

    Key Findings

    This vulnerability allows unauthenticated attackers to take over customer accounts through the Commerce REST API and, in certain configurations, may lead to remote code execution. The latest update provides enhanced detection logic for resilient protection against exploitation attempts.

    Impact

    Adobe Commerce (CVE-2025-54236): Exploitation may allow attackers to hijack sessions, execute arbitrary commands, steal data, and disrupt storefronts, resulting in confidentiality and integrity risks for merchants. Administrators are strongly encouraged to apply vendor patches without delay.

    This is an improved detection.

    Original source Report a problem
  • November 2025
    • No date parsed from source.
    • Detected by Releasebot:
      Nov 18, 2025

    Application Security by Cloudflare

    WAF Release - Scheduled changes for 2025-11-24

    FortiWeb adds beta detections for PHP Wrapper Injection in Body and URI, CGIINFO Header auth bypass (CVE-2025-64446), and XSS in JS context. These beta detections will replace existing actions, signaling upcoming improvements in threat coverage.

    Release Notes

    Announcement Date Release Date Release Behavior Legacy Rule ID Rule ID Description Comments 2025-11-17 2025-11-24 Log N/A ...b6c44ed5 PHP Wrapper Injection - Body - Beta This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - Body" (ID: ...1a3e521e) 2025-11-17 2025-11-24 Log N/A ...900f4015 PHP Wrapper Injection - URI - Beta This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - URI" (ID: ...8f76bd74) 2025-11-17 2025-11-24 Log N/A ...4e2e1a2e FortiWeb - Authentication Bypass via CGIINFO Header - CVE:CVE-2025-64446 This is a new detection 2025-11-17 2025-11-24 Log N/A ...b7492846 XSS - JS Context Escape - Beta This is a beta detection and will replace the action on original detection "PHP Wrapper Injection - URI" (ID: ...7a3769d3) Original source Report a problem
  • November 2025
    • No date parsed from source.
    • Detected by Releasebot:
      Nov 4, 2025

    Application Security by Cloudflare

    WAF Release - Scheduled changes for 2025-11-10

    New Prototype Pollution detections added for URI, Body, and Header Form, expanding coverage across requests. An HTTP Truncated Beta detection is introduced and will replace the original action on its ID. Release rollout targets 2025-11-10.

    Announcement Date Release Date Release Behavior Legacy Rule ID Rule ID Description Comments 2025-10-27 2025-11-10 Log N/A ...606285e6 Generic Rules - Prototype Pollution - URI This is a new detection 2025-10-27 2025-11-10 Log N/A ...4f59ff26 Generic Rules - Prototype Pollution - Body This is a new detection 2025-10-27 2025-11-10 Log N/A ...7efbeb39 Generic Rules - Prototype Pollution - Header - Form This is a new detection 2025-10-27 2025-11-10 Log N/A ...9029cd61 HTTP Truncated Beta This is a beta detection and will replace the action on original detection (ID: ...c22b51d3) This is a beta detection and will replace the action on original detection (ID: ...c22b51d3) Original source Report a problem
  • Oct 31, 2025
    • Parsed from source:
      Oct 31, 2025
    • Detected by Releasebot:
      Nov 3, 2025

    Application Security by Cloudflare

    Report logo misuse to Cloudflare directly from the Brand Protection dashboard

    The Brand Protection logo query dashboard now allows you to use the Report to Cloudflare button to submit an Abuse report directly from the Brand Protection logo queries dashboard. While you could previously report new domains that were impersonating your brand before, now you can do the same for websites found to be using your logo wihtout your permission. The abuse reports wiull be prefilled and you will only need to validate a few fields before you can click the submit button, after which our team process your request.

    Ready to start? Check out the Brand Protection docs.

    Original source Report a problem
  • Oct 30, 2025
    • Parsed from source:
      Oct 30, 2025
    • Detected by Releasebot:
      Oct 31, 2025

    Application Security by Cloudflare

    WAF Release - 2025-10-30 - Emergency

    New detection signature boosts coverage for Oracle E-Business Suite CVE-2025-61884, highlighting an unauthenticated remote exploit in Oracle Configurator affecting 12.2.3–12.2.14. Patch guidance and mitigations are advised to reduce exposure.

    This week’s release introduces a new detection signature that enhances coverage for a critical vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61884.

    Key Findings

    The flaw is easily exploitable and allows an unauthenticated attacker with network access to compromise Oracle Configurator, which can grant access to sensitive resources and configuration data. The affected versions include 12.2.3 through 12.2.14.

    Impact

    Successful exploitation of CVE-2025-61884 may result in unauthorized access to critical business data or full exposure of information accessible through Oracle Configurator. Administrators are strongly advised to apply vendor's patches and recommended mitigations to reduce this exposure.

    Original source Report a problem
  • Oct 30, 2025
    • Parsed from source:
      Oct 30, 2025
    • Detected by Releasebot:
      Nov 1, 2025

    Application Security by Cloudflare

    New TCP-based fields available in Rulesets

    Cloudflare adds new Ruleset fields to tailor decisions by TCP usage and RTT. You can see if a request used TCP and measure client RTT to route high latency traffic or differentiate TCP from QUIC. This enables smarter, performance-aware routing policies.

    Cloudflare now provides two new request fields in the Ruleset engine that let you make decisions based on whether a request used TCP and the measured TCP round-trip time between the client and Cloudflare. These fields help you understand protocol usage across your traffic and build policies that respond to network performance. For example, you can distinguish TCP from QUIC traffic or route high latency requests to alternative origins when needed.

    New fields

    Field Type Description cf.edge.client_tcp Boolean Indicates whether the request used TCP. A value of true means the client connected using TCP instead of QUIC. cf.timings.client_tcp_rtt_msec Number Reports the smoothed TCP round-trip time between the client and Cloudflare in milliseconds. For example, a value of 20 indicates roughly twenty milliseconds of RTT.

    Example filter expression

    cf.edge.client_tcp && cf.timings.client_tcp_rtt_msec < 100

    More information can be found in the Rules language fields reference.

    Original source Report a problem
  • Oct 27, 2025
    • Parsed from source:
      Oct 27, 2025
    • Detected by Releasebot:
      Oct 28, 2025

    Application Security by Cloudflare

    Cloudforce One RFI tokens are now visible in the dashboard

    What’s new:

    • Users can now see the number of tokens used for a submitted request for information.
    • Users can see the remaining tokens allocated to their account for the quarter.
    • Users can only select the Routine priority for the Strategic Threat Research request type.

    Cloudforce One subscribers can try it now in Application Security > Threat Intelligence > Requests for Information 1

    Original source Report a problem

Related products