WAF

This week's release focuses on improvements to existing detections to enhance coverage. Key Findings Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionCommentsCloudflare…

This emergency release introduces rules for CVE-2025-55183 and CVE-2025-55184, targeting server-side function exposure and resource-exhaustion patterns, respectively. Key Findings Added coverage for Leaking Server Functions (CVE-2025-55183) and React Function DoS detection (CVE-2025-55184). Impact These updates strengthen protection for server-function abuse…

This additional week's emergency release introduces improvements to our existing rule for React – Remote Code Execution – CVE-2025-55182 - 2, along with two new generic detections covering server-side function exposure and resource-exhaustion patterns. Key Findings Enhanced detection logic for…

We are reinstating the maximum request-payload size the Cloudflare WAF inspects to the following values: FreeProfessionalBusinessEnterpriseWAF scans request payload up to:1 MB8 KB8 KB128 KB Key Findings On December 5, 2025, we initially attempted to increase the maximum WAF payload…

We are increasing the maximum request-payload size the WAF inspects to 1 MB across all plans. This enhancement strengthens our detection capabilities for React RCE (CVE-2025-55182) by ensuring the WAF can fully analyse React payloads up to their standard maximum…

The WAF rule deployed yesterday to block unsafe deserialization-based RCE has been updated. The rule description now reads “React – RCE – CVE-2025-55182”, explicitly mapping to the recently disclosed React Server Components vulnerability. Detection logic remains unchanged. Key Findings Rule…