OWASP CRS 4.22.0 and 3.3.8 released
The Open Web Application Security Project has recently released versions 4.22.0 and 3.3.8 of its Core Rule Set (OWASP CRS), which aims to fix a serious security issue that lets attackers get around security measures by using different types of content. They included fixes for the specific proof-of-concept sequences tied to CVE-2023-55182, which had been overlooked before. This basically means OWASP CRS now has better defenses against that particular attack vector.
Another win is fewer false positives, those annoying security alarms triggered by harmless traffic or mistakes. By dialing back these instances, system admins can spend less time chasing digital smoke and more on real threats. Plus, the update ensures compatibility with Rust's regex library. This makes OWASP CRS work smoother for developers using that tech.
Finally, some old code patterns and spelling variants no longer relevant have been cleaned up. It might sound small, but tidying things like this prevents future hiccups and makes maintaining the security rules a bit easier down the line.
Release coreruleset v4.22.0
What's Changed CRITICAL fix for 9AJ-260102
Other Changes feat(934100): added sequence for CVE-2025-55182 POCs by @touchweb-vincent in #4372 feat(942440)
Release coreruleset v3.3.8
What's Changed
Important changes CRITICAL fix: 9AJ-260102 v3 by @airween in 80d8047 Fixes fix: move rule's phase 950100 to 3 by @airween in #3941
