Application Security Release Notes

This week’s release introduces new detections for CVE-2025-68645 and CVE-2025-31125.

Key Findings

CVE-2025-68645: A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 allows unauthenticated remote attackers to craft requests to the /h/rest endpoint, improperly influence internal dispatching, and include arbitrary files from the WebRoot directory.

CVE-2025-31125: Vite, the JavaScript frontend tooling framework, exposes content of non-allowed files via ?inline&import when its development server is network-exposed, enabling unauthorized attackers to read arbitrary files and potentially leak sensitive information.

Ruleset

Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 695d76ff756844d384cab548833761f7 Zimbra - Local File Inclusion - CVE:CVE-2025-68645 Log Block This is a new detection. Cloudflare Managed Ruleset 38fff9f3deba46a2abc10a8f950ed8c8 Vite - WASM Import Path Traversal - CVE:CVE-2025-31125 Log Block This is a new detection. Original source Report a problem

We have significantly upgraded our Logo Matching capabilities within Brand Protection. While previously limited to approximately 100% matches, users can now detect a wider range of brand assets through a redesigned matching model and UI.

What’s new

• Configurable match thresholds: Users can set a minimum match score (starting at 75%) when creating a logo query to capture subtle variations or high-quality impersonations.
• Visual match scores: Allow users to see the exact percentage of the match directly in the results table, highlighted with color-coded lozenges to indicate severity.
• Direct logo previews: Available in the Cloudflare dashboard — similar to string matches — to verify infringements at a glance.

Key benefits

• Expose sophisticated impersonators who use slightly altered logos to bypass basic detection filters.
• Faster triage of the most relevant threats immediately using visual indicators, reducing the time spent manually reviewing matches.
• Ready to protect your visual identity? Learn more in our Brand Protection documentation.

Original source Report a problem

Release Records

Zimbra - Local File Inclusion - CVE:CVE-2025-68645

• Announcement Date: 2026-02-10
• Release Date: 2026-02-16
• Release Behavior: Log
• Legacy Rule ID: N/A
• Rule ID: a219dd28a0694faea0f942d4b0089874
• Description: Zimbra - Local File Inclusion - CVE:CVE-2025-68645
• Comments: This is a new detection.

Vite - WASM Import Path Traversal - CVE:CVE-2025-31125

• Announcement Date: 2026-02-10
• Release Date: 2026-02-16
• Release Behavior: Log
• Legacy Rule ID: N/A
• Rule ID: b10164cf42ab47b7ab274b9573b09f52
• Description: Vite - WASM Import Path Traversal - CVE:CVE-2025-31125
• Comments: This is a new detection.

Original source Report a problem

Also known as field in Threat Events

Identifying threat actors can be challenging, because naming conventions often vary across the security industry. To simplify your research, Cloudflare Threat Events now include an Also known as field, providing a list of common aliases and industry-standard names for the groups we track.
This new field is available in both the Cloudflare dashboard and via the API. In the dashboard, you can view these aliases by expanding the event details side panel (under the Attacker field) or by adding it as a column in your configurable table view.

Key benefits

• Easily map Cloudflare-tracked actors to the naming conventions used by other vendors without manual cross-referencing.
• Quickly identify if a detected threat actor matches a group your team is already monitoring via other intelligence feeds.

For more information on how to access this data, refer to the Threat Events API documentation.

Original source Report a problem

This week’s release

This week’s release introduces new detections for CVE-2025-64459 and CVE-2025-24893.

Key Findings

• CVE-2025-64459: Django versions prior to 5.1.14, 5.2.8, and 4.2.26 are vulnerable to SQL injection via crafted dictionaries passed to QuerySet methods and the Q() class.
• CVE-2025-24893: XWiki allows unauthenticated remote code execution through crafted requests to the SolrSearch endpoint, affecting the entire installation.

Ruleset

Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 7a47683eacce4abd870ab2c630698ff3 N/A XWiki - Remote Code Execution - CVE:CVE-2025-24893 2 Log Block Cloudflare Managed Ruleset ad5c52f6ca334ef4a844e5e5da8ba7e6 N/A Django SQLI - CVE:CVE-2025-64459 Log Block Cloudflare Managed Ruleset f3a89a84e3744021a2f8e9291b138b3e N/A NoSQL, MongoDB - SQLi - Comparison Block Block Original source Report a problem

Request body buffering

Controls how Cloudflare buffers HTTP request bodies before forwarding them to your origin server:

| Mode (default) | Behavior |
| Standard (default) | Cloudflare can inspect a prefix of the request body for enabled functionality such as WAF and Bot Management. |
| Full | Buffers the entire request body before sending to origin. |
| None | No buffering — the request body streams directly to origin without inspection. |

Response body buffering

Controls how Cloudflare buffers HTTP response bodies before forwarding them to the client:

| Mode (default) | Behavior |
| Standard (default) | Cloudflare can inspect a prefix of the response body for enabled functionality. |
| None | No buffering — the response body streams directly to the client without inspection. |

Setting body buffering to None may break security functionality that requires body inspection, including the Web Application Firewall (WAF) and Bot Management. Ensure that any paths where you disable buffering do not require security inspection.

These settings only take effect on zones running Cloudflare's latest CDN proxy. Enterprise customers can contact their account team to enable the latest proxy on their zones.

API example

{
  "action": "set_config",
  "action_parameters": {
    "request_body_buffering": "standard",
    "response_body_buffering": "none"
  }
}

For more information, refer to Configuration Rules.

Original source Report a problem

This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864).

Key Findings

CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864) affects react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages.
Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.

Ruleset

• Cloudflare Managed Ruleset

  • aaede80b4d414dc89c443cea61680354
  • N/A
  • React Server - DOS - CVE:CVE-2026-23864 - 1
  • N/A
  • Block
  • This is a new detection.

• Cloudflare Managed Ruleset

  • 3e93c9faaafa447c83a525f2dcdffcf8
  • N/A
  • React Server - DOS - CVE:CVE-2026-23864 - 2
  • N/A
  • Block
  • This is a new detection.

• Cloudflare Managed Ruleset

  • 930020d567684f19b05fb35b349edbc6
  • N/A
  • React Server - DOS - CVE:CVE-2026-23864 - 3
  • N/A
  • Block
  • This is a new detection.

Original source Report a problem

The planned release has been postponed to ensure a smooth deployment.

Scheduled changes details

• Announcement Date: 2025-12-01
  Release Date: 2026-01-26
  Release Behavior: Log
  Rule ID: ...30698ff3
  Description: XWiki - Remote Code Execution - CVE:CVE-2025-24893 2
  Comments: This is a new detection. The rule has been renamed to "Wiki - Remote Code Execution - CVE-2025-24893 2", previously known as "XWiki - Remote Code Execution - CVE-2025-24893 – Beta".

• Announcement Date: 2025-12-01
  Release Date: 2026-01-26
  Release Behavior: Log
  Rule ID: ...da8ba7e6
  Description: Django SQLI - CVE:CVE-2025-64459
  Comments: This is a new detection.

Original source Report a problem

New functions

Cloudflare Rulesets now includes encode_base64() and sha256() functions, enabling you to generate signed request headers directly in rule expressions. These functions support common patterns like constructing a canonical string from request attributes, computing a SHA256 digest, and Base64-encoding the result.

Function Description Availability encode_base64(input, flags) Encodes a string to Base64 format. Optional flags parameter: u for URL-safe encoding, p for padding (adds = characters to make the output length a multiple of 4, as required by some systems). By default, output is standard Base64 without padding. All plans (in header transform rules) sha256(input) Computes a SHA256 hash of the input string. Requires enablement

Note

The sha256() function is available as an Enterprise add-on and requires a specific entitlement. Contact your account team to enable it.

Examples

Encode a string to Base64 format:

encode_base64("hello world")

Returns:

aGVsbG8gd29ybGQ

Encode a string to Base64 format with padding:

encode_base64("hello world", "p")

Returns:

aGVsbG8gd29ybGQ=

Perform a URL-safe Base64 encoding of a string:

encode_base64("hello world", "u")

Returns:

aGVsbG8gd29ybGQ

Compute the SHA256 hash of a secret token:

sha256("my-token")

Returns a hash that your origin can validate to authenticate requests.

Compute the SHA256 hash of a string and encode the result to Base64 format:

encode_base64(sha256("my-token"))

Combines hashing and encoding for systems that expect Base64-encoded signatures.

For more information, refer to the Functions reference.

Original source Report a problem