Core Rule Set (@CoreRuleSet)

Mar 29

OWASP CRS v4.25.0 LTS is out! First Long-Term Support for CRS 4 — stable foundation with security patches through Q3 2027. Formal backport policy, lessons from 3.3 applied, and crslang on the horizon. coreruleset.org/20260321/ann…

Announcing CRS v4.25.0 LTS: Long-Term Support for CRS 4

We are excited to announce that CRS v4.25.0 is the first Long-Term Support (LTS) release for the CRS 4 series. This is a milestone we have been working towards for over two years, and it marks the...

3,207

Core Rule Set

Apr 7

Part 2 of the CRS 3→4 migration series: configuration. Don't reuse your old crs-setup.conf — variables were renamed, split, and added. Post includes a full checklist and an interactive migration tool. coreruleset.org/20260406/mig… #OWASP #CRS #WAF #AppSec

Migrating from CRS 3.3 to CRS 4.25 LTS — Part 2: Configuration

This is Part 2 of the CRS 3.3 → 4.25 LTS migration series. Part 1 provided an overview of the migration. This post covers the crs-setup.conf changes — the most immediately breaking part of the...

103

Core Rule Set

Apr 1

Migrating from OWASP CRS 3.3 to 4.25 LTS? Part 1 of a 7-part series is out — covering what changed, what breaks, and how to plan your upgrade. ~500 changes, new plugin architecture, RE2/Hyperscan compat, and more. coreruleset.org/20260330/mig…

Migrating from CRS 3.3 to CRS 4.25 LTS — Part 1: Overview

The release of CRS v4.25.0 LTS marks the moment the CRS 4 generation has its long-term support anchor. If you have been running CRS 3.3.x — waiting for stability before committing to an upgrade —...

119

Core Rule Set

Mar 30

🔒 Security Advisory: OWASP CRS file upload extension checks could be bypassed using whitespace padding in filenames (e.g. shell. php). CVE-2026-33691, Moderate severity. Upgrade to CRS v4.25.0 or v3.3.9. Thanks @HackingRepo for the report! github.com/coreruleset/corer…

Whitespace padding in filenames bypasses file upload extension checks

## Impact A bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php ...

316

Core Rule Set

Feb 25

📢 Open WAF Day 2026 — Vienna, June 24th! 🇦🇹 A free, full-day event on WAFs, @coreruleset, and open-source security. CFP is open! 🎟️ Register: forms.gle/UckehAUPdR8xZVkd8 🎤 Submit a talk: forms.gle/PoBKhza7YcRLFdFU6 See you there! 🚀 #OWASP #WAF #AppSec #CRS

Core Rule Set

Feb 18

🔥 OWASP CRS is evolving! Introducing #CRSLang — a new YAML-based rule language replacing Seclang. Cleaner syntax, multi-engine support, bidirectional translation, and a lower barrier for new contributors. Check it out 👉 coreruleset.org/20260122/int… #WAF #AppSec #OWASP #ModSecurity

Introducing CRSLang: The Next Generation Rule Language for OWASP CRS

We’re excited to introduce CRSLang, a new YAML-based rule language that will replace Seclang in the next major release of OWASP CRS. This represents a significant evolution in how we write, maintain,...

2,644

Core Rule Set

Feb 4

📦 CRS v4.23.0 released! New CVE detection, SSRF improvements, PHP session upload prevention & more. Thanks to our amazing contributors: @touchweb_vincent, @azurit, @RedXanadu, @EsadCetiner, @Xhoenix & welcome @disisto! 🎉 Upgrade now 👇 github.com/coreruleset/corer…

Release v4.23.0 · coreruleset/coreruleset

What's Changed ⭐ Important changes feat(920640): add rule to enforce content-type if there is body by @fzipi in #4406 🆕 New features and detections 🎉 feat(lfi): Add detection for Vite.js pat...

2,537

Core Rule Set

Feb 3

🎉 Introducing seclang_parser - a unified ANTLR-based parser for SecLang! One grammar, multiple languages (Go & Python), endless possibilities for WAF tooling: linters, IDE integration, config management & more. 🔗 coreruleset.org/20260122/int…

Introducing seclang_parser: A Unified ANTLR-Based Parser for SecLang

We are excited to introduce the community to a significant development in the CRS ecosystem: the seclang_parser, an ANTLR-based parser for the SecLang configuration language used by ModSecurity and...

162

Core Rule Set

25 Nov 2025

CRS3→CRS4 migration made easy! 🚀 🧩 New GPL plugin lets you: • Run CRS4 in monitor mode over CRS3 • Weed out false positives • Gradually enable blocking or sampling github.com/netnea/netnea-crs… #OWASP #CRS #Security

GitHub - netnea/netnea-crs-upgrading-plugin

Contribute to netnea/netnea-crs-upgrading-plugin development by creating an account on GitHub.

184

Core Rule Set

2 Nov 2025

🚀 OWASP CRS v4.20.0 is out! ✨ New: Enhanced file restrictions, PrestaShop/Magento configs, Expect header blocking 🛠️ Multiple fixes reducing JSON false positives better detection 👉 github.com/coreruleset/corer… #OWASP #CRS #WebSecurity #AppSec

Release v4.20.0 · coreruleset/coreruleset

What's Changed 🆕 New features and detections 🎉 feat: update restricted file extensions by @EsadCetiner in #4287 feat(930120): adding conf file for PrestaShop 1.6 / 1.7 / 8 & Magento 2 by ...

175

Core Rule Set

22 Sep 2025

CRS will have its second community call on September 22, from 20:30 to 21:30 CEST (18:30 UTC / 2:30 p.m. ET) and will be moderated by former CRS co-leader Christian Folini. Check more details and register here: luma.com/8yc1p543

CRS Community Call · Luma

A video call where the CRS dev team gets to meet their community face-to-face. A place for information exchange and questions for both newbies and experienced…

luma.com

2,418

Core Rule Set

23 Jul 2025

A critical vulnerability in Microsoft Sharepoint was recently discovered, allowing remote code execution -- in many cases, leading to persistence for the attackers, exfiltration of data, and more. Users of CRS were already covered from day zero using PL2.

203

Core Rule Set

6 Feb 2025

CRS will have its first community call on March 17, from 20:30 to 21:30 CET (19:30 UTC / 2:30 p.m. ET) and will be moderated by former CRS co-leader Christian Folini. Register here: coreruleset.org/register/com…

400

Core Rule Set

6 Nov 2024

A somewhat diminished OWASP⁩ CRS core team at the annual developers retreat / the ⁦@owasp⁩ project summit 2024 in Woburn Forest (group photo without squirrels and deer).

321

Core Rule Set

5 Sep 2024

Meet the CRS team: Whether it's work or hobbies, Max – the Kiwi-German software developer from the Swiss Alps – wants to enjoy what he does. For him, the most important thing about the CRS project is the people. Read his portrait: coreruleset.org/20240903/mee…

244

Core Rule Set

4 Sep 2024

We are excited to announce United Security Providers as Gold Sponsor of @CoreRuleSet. USP has been using CRS for a long time as an important component of its web access management solution. Support from sponsors is of great importance for the CRS project. coreruleset.org/20240903/uni…

199

Core Rule Set

united-security-providers.ch

4 Sep 2024

See also the blog post on @uspag‘s website: united-security-providers.ch…

United Security Providers wird Gold-Sponsor des OWASP Core Rule Set - United Security Providers AG

Das Open-Source-Projekt OWASP CRS gewinnt die United Security Providers AG als neue Gold-Sponsorin. Mit der finanziellen Unterstützung fördert die Schweizer Anbieterin von IT-Security-Lösungen die...

152

ModSecurity

Core Rule Set retweeted

ModSecurity @ModSecurity

3 Sep 2024

New versions of ModSecurity have been released, see the blog post: modsecurity.org/20240903/new…

1,113

Core Rule Set

United Security Providers AG @uspag

3 Sep 2024

Thank you, United Security Providers, for supporting the @CoreRuleSet as new GOLD sponsor! The specialist for application and network security has been using CRS for a long time. Support from sponsors like @uspag is of great importance for open-source projects like CRS. #crs #WAF

3 Sep 2024

Wir sind stolz darauf, als Goldsponsor das OWASP CRS-Projekt zu unterstützen! 🚀 Unsere Entwickler tragen aktiv zur Weiterentwicklung bei und stärken die Open-Source-Community. Hier geht's zur Pressemitteilung: eu1.hubs.ly/H0c3Nb_0 #CyberSecurity #OWASP #CRS #OpenSource

218

Core Rule Set