OWASP CRS v4.28.0 Drops With Critical Security Fixes and First LTS Track
OWASP Core Rule Set v4.28.0 released today delivers critical security patches including XML attribute inspection across attack rules and the elimination of catastrophic backtracking in Unix shell evasion detection. The update adds new protections for quote-based SQL injection evasion, ORM lookup operator injection, and RCE evasion prefixes while removing exponential backtracking from several performance-critical rules. The project also announced v4.25.0 as its first Long-Term Support release, providing enterprise stability as legacy CRS 3.3.x support wraps up in Q3 2026. Administrators can pull the new rules from GitHub immediately, though the team emphasizes CRS remains a pattern-matching safety net that requires proper tuning and cannot replace application-level security practices.
OWASP CRS v4.28.0 Drops With Critical Security Fixes and First LTS Track @ Linux Compatible
OWASP CRS v4.28.0 Drops With Critical Security Fixes and First LTS Track
The OWASP Core Rule Set (CRS) has released version 4.28.0, which includes critical security patches and performance improvements, such as enhanced XML attribute inspection and the removal of catastrophic backtracking in Unix shell evasion detection. This update also introduces new protections against various forms of SQL injection and remote code execution evasion, while improving performance for high-traffic web applications. Additionally, the project has launched its first Long-Term Support (LTS) release, version 4.25.0, which aims to stabilize the core detection engine and reduce false positives as support for the older CRS 3.3.x version comes to an end in Q3 2026. Administrators are encouraged to download the new rules from GitHub, but it is emphasized that CRS should be used as a supplementary security measure rather than a complete replacement for secure coding practices
