OWASP CRS 4.25.0 LTS release brings critical file upload fixes and new detections
The latest update to the OWASP CRS hits version 4.25.0, and it is not a minor bump if you run a WAF. This LTS release patches specific bypass techniques that attackers use to upload malicious files through whitespace tricks. Administrators should prioritize this update to stop the latest CVE-2026-33691 exploits before they hit their logs.
Why OWASP CRS 4.25.0 LTS matters for your WAF
Security rules tend to get ignored until a vulnerability makes headlines, and that pattern has cost plenty of admins time during incident response. The team behind the Core Rule Set knows this dynamic well enough to bundle critical fixes into an LTS release rather than waiting for the next minor iteration. This version targets whitespace padding bypasses in PHP double-extension uploads which previously allowed bad actors to slip past detection logic. It is frustrating when a basic upload filter fails because of how a file name handles spaces or invisible characters, but this update closes those gaps effectively.
Critical fixes stop file upload bypasses
The headline changes focus on CVE-2026-33691 and involve preventing whitespace padding bypass in PHP and JSP file uploads. These rules used to let attackers rename a script as image.jpg.php with extra spaces that confused the parser, but new logic strips or validates those characters before inspection begins. There is also a fix for restricted file upload detection that prevents similar padding tricks from working on other server types. A common scenario involves automated scanners flagging legitimate test uploads as malicious because the rules are too strict, yet ignoring these updates leaves the door open for actual shell uploads. The recent refactor work creating .ra files for rules like 931100 and 941250 helps organize this logic so future maintenance does not break existing protections.
New detections and rule improvements
Beyond the security patches, the update expands AI-based path detection to catch more obscure directories that were previously overlooked by scanners. A new shell fork bomb detection rule sits at protection level 2 which should help identify resource exhaustion attempts before they crash a server. The team also added an AWS security agent entry to the user-agent scanner data so cloud-native traffic gets identified correctly without false positives. Updates to the list of unix commands ensure that command injection patterns match against newer tooling found in modern development environments. These additions do not replace the core CVE fixes but provide better context for understanding what is hitting your application logs.
What to expect from OWASP CRS 4.25.0
Upgrading requires a standard review of existing exclusions since tighter rules may flag previously allowed traffic differently. The GitHub Actions workflows received hardening which suggests the maintainers are paying attention to their own supply chain security. False negatives in rule 932236 have been corrected so specific injection patterns will now trigger alerts as intended. Users should check for any custom modifications that rely on the old behavior of cookie inspection rules since the update prevents inspecting cookies twice. This change reduces processing overhead and ensures consistent logging across different request types.
Release Coreruleset v4.25.0 (LTS)
What's Changed Important
These below fix CVE-2026-33691: fix(933111): prevent whitespace padding bypass in PHP double-extension upload by @fzipi in #4547
OWAP CRS 3.3.9 is also avaialble and includes the security fix for CVE-2026-33691:
Release Coreruleset v3.3.9
What's Changed
