Migrating from CRS 3.3 to CRS 4.25 LTS — Part 2: Configuration This is Part 2 of the CRS 3.3 → 4.25 LTS migration series. Part 1 provided an overview of the migration. This post covers the crs-setup.conf changes — the most immediately breaking part of the upgrade for most operators. If you take one thing from this post: do not reuse your CRS 3 crs-setup.conf with CRS 4 without reviewing every variable in it. Some variables were renamed, some were removed, and several new ones are required for features that did not exist in CRS 3.

Part 2 of the CRS 3→4 migration series: configuration. Don't reuse your old crs-setup.conf — variables were renamed, split, and added. Post includes a full checklist and an interactive migration tool.
coreruleset.org/2026...
#OWASP #CRS #WAF #AppSec

Migrating from CRS 3.3 to CRS 4.25 LTS — Part 1: Overview The release of CRS v4.25.0 LTS marks the moment the CRS 4 generation has its long-term support anchor. If you have been running CRS 3.3.x — waiting for stability before committing to an upgrade — that moment is now. This is the first post in a series walking through everything you need to know to migrate from CRS 3.3.9 (the last CRS 3 LTS release) to CRS 4.25.0 LTS. The series is not a quick upgrade guide. It is a deliberate, post-by-post treatment of each dimension of the migration so that you can plan and execute without surprises.

Migrating from OWASP CRS 3.3 to 4.25 LTS? Part 1 of a 7-part series is out — covering what changed, what breaks, and how to plan your upgrade. ~500 changes, new plugin architecture, RE2/Hyperscan compat, and more.

Whitespace padding in filenames bypasses file upload extension checks ## Impact A bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php ...

🔒 Security Advisory: OWASP CRS file upload extension checks could be bypassed using whitespace padding in filenames (e.g. shell. php). CVE-2026-33691, Moderate severity.
Upgrade to CRS v4.25.0 or v3.3.9.
Thanks @HackingRepo for the report!

OWASP CRS v4.25.0 LTS is out! First Long-Term Support for CRS 4 — stable foundation with security patches through Q3 2027. Formal backport policy, lessons from 3.3 applied, and crslang on the horizon.

📢 Open WAF Day 2026 — Vienna, June 24th! 🇦🇹
A free, full-day event on WAFs, @coreruleset, and open-source security. CFP is open!
🎟️ Register: forms.gle/UckehAUPdR...
🎤 Submit a talk: forms.gle/PoBKhza7Yc...
See you there! 🚀
#OWASP #WAF #AppSec #CRS

🔥 OWASP CRS is evolving! Introducing #CRSLang — a new YAML-based rule language replacing Seclang. Cleaner syntax, multi-engine support, bidirectional translation, and a lower barrier for new contributors.
Check it out 👉 coreruleset.org/2026...
#WAF #AppSec #OWASP #ModSecurity

Release v4.23.0 · coreruleset/coreruleset What's Changed ⭐ Important changes feat(920640): add rule to enforce content-type if there is body by @fzipi in #4406 🆕 New features and detections 🎉 feat(lfi): Add detection for Vite.js pat...

📦 CRS v4.23.0 released!
New CVE detection, SSRF improvements, PHP session upload prevention & more.
Thanks to our amazing contributors: @touchweb_vincent, @azurit, @RedXanadu, @EsadCetiner, @Xhoenix & welcome @disisto! 🎉
Upgrade now 👇

🎉 Introducing seclang_parser - a unified ANTLR-based parser for SecLang! One grammar, multiple languages (Go & Python), endless possibilities for WAF tooling: linters, IDE integration, config management & more.
🔗

GitHub - netnea/netnea-crs-upgrading-plugin Contribute to netnea/netnea-crs-upgrading-plugin development by creating an account on GitHub.

CRS3→CRS4 migration made easy! 🚀

🧩 New GPL plugin lets you:
• Run CRS4 in monitor mode over CRS3
• Weed out false positives
• Gradually enable blocking or sampling

github.com/netnea/ne...
#OWASP #CRS #Security

Release v4.20.0 · coreruleset/coreruleset What's Changed 🆕 New features and detections 🎉 feat: update restricted file extensions by @EsadCetiner in #4287 feat(930120): adding conf file for PrestaShop 1.6 / 1.7 / 8+ & Magento 2 by ...

🚀 OWASP CRS v4.20.0 is out!
✨ New: Enhanced file restrictions, PrestaShop/Magento configs, Expect header blocking
🛠️ Multiple fixes reducing JSON false positives + better detection
👉 github.com/corerules...
#OWASP #CRS #WebSecurity #AppSec