The OWASP Core Rule Set has released version 4.25.0 (LTS), which includes critical patches for file upload vulnerabilities, specifically addressing CVE-2026-33691 that allows attackers to bypass detection using whitespace padding tricks. Administrators are urged to prioritize this update to prevent exploitation before it impacts their systems. In addition to security fixes, the update introduces new detections for shell fork bombs and enhanced AI-based path scanning to identify obscure directories. Users should review their existing exclusions after upgrading, as tighter rules may flag legitimate traffic, while an older version, 3.3.9, remains available for those unable to upgrade immediately

OWASP CRS 4.25.0 (LTS) and 3.3.9 released

The OWASP Core Rule Set has launched its latest long-term support update at version 4.25.0 which includes critical patches for file upload vulnerabilities. Administrators must prioritize this installation since it closes CVE-2026-33691 which allows attackers to slip past detection logic using whitespace padding tricks. Beyond the security fixes, there are new detections for shell fork bombs and expanded AI-based path scanning to catch obscure directories previously overlooked by scanners. You will need to review your exclusions after upgrading because tighter rules might flag legitimate traffic while an older 3.3.9 release remains available if you cannot move immediately.

OWASP CRS 4.25.0 (LTS) and 3.3.9 released @ Linux Compatible