What's Changed

⭐ Important changes

• chore: removed detection for LaTeX injection by @Xhoenix in #4221

🧰 Other Changes

• fix(942340): remove dot star by @Xhoenix in #4220

Full Changelog: v4.17.0...v4.17.1

What's Changed

⭐ Important changes

• feat: remove PCI DSS tags (#4194) by @pha6d in #4203

🆕 New features and detections 🎉

• feat: added detection for ASP.NET errors by @Xhoenix in #4092
• feat: added detection for RCE via Referer header by @Xhoenix in #3993
• feat: added detection for LaTeX injection by @Xhoenix in #4206
• feat: added detection for ruby errors and code leakage by @Xhoenix in #4089

🧰 Other Changes

• fix(951xxx): remove dot star by @Xhoenix in #4171
• fix: use word bondary on 952110 to avoid matching non-java errors by @EsadCetiner in #4177
• feat: Update java-classes.data by @KIC-8462852 in #4173
• fix(931130): update file uri with single slash by @fzipi in #4193
• fix(932281): avoid matching on json payloads by @EsadCetiner in #4187
• fix: 932280/932281 bypass by @Xhoenix in #4207

New Contributors

• @KIC-8462852 made their first contribution in #4173
• @pre-commit-ci[bot] made their first contribution in #4185
• @pha6d made their first contribution in #4203

Full Changelog: v4.16.0...v4.17.0

What's Changed

🆕 New features and detections 🎉

• feat: remediation for Python SSTI by @TheRubick in #4145
• fix: update rule 942560 by @Xhoenix in #4161
• feat: detect generic config filenames by @EsadCetiner in #4102
• feat: update java-errors.data by @Xhoenix in #4113
• feat: added rule to detect Bash Brace Expansion by @Xhoenix in #3780
• feat: added MongoDB operators by @Xhoenix in #4162
• feat: added zmodload and sudo-rs by @Xhoenix in #4143

🧰 Other Changes

• fix(941160): remove dot star by @fzipi in #4155
• fix(934140): remove dot star by @fzipi in #4165
• fix(932370): remove dot star by @fzipi in #4166
• fix(955xxx): remove dot star by @Xhoenix in #4169
• fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) by @EsadCetiner in #3840
• fix: create a stricter sibling to 932370 and move at to PL-2 (932370 PL-1, 932371 PL-2) by @EsadCetiner in #4015
• fix(942340): remove dot star by @fzipi in #4164
• refactor(942340): move to regex assembly by @fzipi in #4014
• fix(933160): remove dot star by @fzipi in #4167

New Contributors

• @TheRubick made their first contribution in #4145

Full Changelog: v4.15.0...v4.16.0

What's Changed

🆕 New features and detections 🎉

• feat: add User-Agent and Referer into targets (942280 PL1) by @azurit in #4115
• feat: update java-classes.data by @Xhoenix in #4080
• feat: block database yaml files by @EsadCetiner in #4130

🧰 Other Changes

• fix: false positive with title_strip_tags by moving strip_tags to 933160 by @EsadCetiner in #4105
• fix: remove self command by @EsadCetiner in #4111
• fix: remove rc shell to reduce FPs by @theseion in #4125
• feat: remove unnecessary character class from 933151 by @TimDiam0nd in #4135
• fix: false positives with session tokens/cookies 933150 by @EsadCetiner in #4142
• fix: add word ending to unix command sendmail (932235 PL1, 932236 PL2, 932239 PL2, 932260 PL1) by @franbuehler in #4141
• feat: 933151 change from capture and double pmf to regex by @TimDiam0nd in #4139
• feat: 933120 change from capture and double pmf to regex by @TimDiam0nd in #4138
• feat: remove exclusion of deprecated __utm cookies by @theseion in #4151

Full Changelog: v4.14.0...v4.15.0

What's Changed

🆕 New features and detections 🎉

• feat: detect ASP web shells by @Xhoenix in #4063
• feat: detect compressed database dumps by @EsadCetiner in #4082
• feat: detect javascript methods import fetch console.log console.dir by @EsadCetiner in #4076

🧰 Other Changes

• fix: fixing FPs related to rule 951220 by @azurit in #4079
• fix: don't block ttf font files by @EsadCetiner in #4081
• fix: 932270 FP by @Xhoenix in #3917
• fix(954100): detect forward slash in path by @Xhoenix in #4094
• fix: remove .application from restricted extensions by @EsadCetiner in #4103
• fix: 44J-250329 by @EsadCetiner in #4107

Full Changelog: v4.13.0...v4.14.0

What's Changed

⭐ Important changes

• fix(security): fixing double URL decode of REQUEST_URI by @azurit in #4047

🆕 New features and detections 🎉

• feat: block header related to CVE-2025-29927 (Next.js) by @azurit in #4053
• feat: added new XSS payloads by @Xhoenix in #4055
• feat: add potential malicious file extensions into tx.restricted_extensions by @Xhoenix in #4068
• feat: add additional files commonly accessed by bots by @EsadCetiner in #4069
• feat: adding .dist and .dpkg-dist into tx.restricted_extensions by @azurit in #4057
• feat: add more default session cookie names by @Xhoenix in #4062

🪦 Rule removals

• feat: remove rule 952100 for detecting Java Source Code Leakage by @S0obi in #4052

🧰 Other Changes

• fix(934130): extend prototype pollution payload by @Xhoenix in #4036
• fix: rule 930110 is not supposed to match bare '..' without (back)slashes by @azurit in #4050
• fix: use boundary to fix false positive with email firstname.dockery@host.tld by @EsadCetiner in #4045
• feat: refresh restricted-upload.data by @S0obi in #4046
• fix: tag inconsistency per file by @Xhoenix in #4031
• fix: added pre-check of unset TX variable by @airween in #4066
• fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by @EsadCetiner in #4019

New Contributors

• @daum3ns made their first contribution in #4043
• @S0obi made their first contribution in #4046

Full Changelog: v4.12.0...v4.13.0

What's Changed

🆕 New features and detections 🎉

• feat: prevent V1 cookie format use by @fzipi in #4006
• feat: added new restricted files for openstack and docker compose by @azurit in #4021

🧰 Other Changes

• fix: multipart header tag consistency by @Xhoenix in #3992
• fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) by @EsadCetiner in #3735
• docs: add warning about default charsets modification by @fzipi in #4003
• fix: response splitting rules and tests by @theseion in #4009
• fix(933160): use better regex by @fzipi in #4010
• fix: move fopen to 933160 to resolve fp with RootAndLeafOpenCamera.jpg (933150 PL-1, 933160 PL-1) by @EsadCetiner in #4016
• fix(941210): update log message to reflect rule javascript word detection by @fzipi in #4023
• fix: remove .env from lfi-os-files.data by @theseion in #4024

New Contributors

• @renovate made their first contribution in #4000

Full Changelog: v4.11.0...v4.12.0

What's Changed

🪦 Rule removals

• feat: Remove rules for lack of viable attack scenario (920220 PL1, 920221 PL1) by @dune73 in #3969

🧰 Other Changes

• fix: remove aliases man, mi, si and resolve positives (932125 PL1) by @franbuehler in #3971
• fix: remove where, if, for and vol and resolve false positives (932380 PL1) by @franbuehler in #3972
• fix: make 932300 actually case-insensitive by @theseion in #3977
• fix: remove sql function names to resolve false positives (942151 PL1) by @franbuehler in #3973
• fix: issue 3809 by @Xhoenix in #3983

Full Changelog: v4.10.0...v4.11.0

What's Changed

🆕 New features and detections 🎉

• feat: block CVE-2023-5003 by @azurit in #3955
• feat: prevent accessing PHP variables by @azurit in #3965

🧰 Other Changes

• fix: FP against pattern with = following at arbitrary position by @theseion in #3963

Full Changelog: v4.9.0...v4.10.0

What's Changed

⭐ Important changes

• feat: add variable to skip response rules by @fzipi in #3944

🆕 New features and detections 🎉

• feat: add fish shell files to restricted-files.data by @OhMyVolk in #3915
• feat: add quantitative testing to Git workflow by @airween in #3924

🧰 Other Changes

• feat: added support for new web shells by @azurit in #3898
• fix(security): remove double URL decode (921151 PL2, 932190 PL3, 942441 PL2, 942442 PL2, 942460 PL3) by @azurit in #3741
• docs: extended rule documentation (900200) by @dune73 in #3934

New Contributors

• @OhMyVolk made their first contribution in #3915

Full Changelog: v4.8.0...v4.9.0