coreruleset
diff --git a/‎CHANGES.md‎
Lines changed: 29 additions & 0 deletions b/‎CHANGES.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 1 addition & 1 deletion b/‎SECURITY.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crs-setup.conf.example‎
Lines changed: 27 additions & 27 deletions b/‎crs-setup.conf.example‎
Lines changed: 27 additions & 27 deletions
diff --git a/‎rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example‎
Lines changed: 1 addition & 1 deletion b/‎rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example‎
Lines changed: 1 addition & 1 deletion
@@ -5,6 +5,35 @@
   or the CRS Google Group at
 * https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
 
+## Version 4.13.0 - 2025-03-31
+
+## What's Changed
+### ⭐ Important changes
+* fix(security): fixing double URL decode of REQUEST_URI by @azurit in https://github.com/coreruleset/coreruleset/pull/4047
+### 🆕 New features and detections 🎉
+* feat: block header related to CVE-2025-29927 (Next.js) by @azurit in https://github.com/coreruleset/coreruleset/pull/4053
+* feat: added new XSS payloads by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4055
+* feat: add potential malicious file extensions into tx.restricted_extensions by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4068
+* feat: add additional files commonly accessed by bots by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4069
+### 🪦 Rule removals
+* feat: remove rule 952100 for detecting Java Source Code Leakage by @S0obi in https://github.com/coreruleset/coreruleset/pull/4052
+### 🧰 Other Changes
+* fix(934130): extend prototype pollution payload by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4036
+* fix: rule 930110 is not supposed to match bare '..' without (back)slashes by @azurit in https://github.com/coreruleset/coreruleset/pull/4050
+* fix: use boundary to fix false positive with email `firstname.dockery@host.tld` by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4045
+* feat: refresh restricted-upload.data by @S0obi in https://github.com/coreruleset/coreruleset/pull/4046
+* fix: tag inconsistency per file by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4031
+* feat: adding .dist and .dpkg-dist into tx.restricted_extensions by @azurit in https://github.com/coreruleset/coreruleset/pull/4057
+* feat: add more default session cookie names by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4062
+* fix: added pre-check of unset TX variable by @airween in https://github.com/coreruleset/coreruleset/pull/4066
+* fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4019
+
+## New Contributors
+* @daum3ns made their first contribution in https://github.com/coreruleset/coreruleset/pull/4043
+* @S0obi made their first contribution in https://github.com/coreruleset/coreruleset/pull/4046
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.12.0...v4.13.0
+
 ## Version 4.12.0 - 2025-03-01
 
 ## What's Changed
 
@@ -11,8 +11,8 @@ Along those lines, OWASP CRS team may not issue security notifications for unsup
 
 | Version   | Supported          |
 | --------- | ------------------ |
+| 4.13.z    | :white_check_mark: |
 | 4.12.z    | :white_check_mark: |
-| 4.11.z    | :white_check_mark: |
 | 4.y.z     | :x: |
 | 3.3.x     | :white_check_mark: |
 | 3.2.x     | :x:                |
 
@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.13.0-dev
+# OWASP CRS ver.4.13.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
 # Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
@@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.blocking_paranoia_level=1"
 
 
@@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.detection_paranoia_level=1"
 
 
@@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.enforce_bodyproc_urlencoded=1"
 
 
@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.critical_anomaly_score=5,\
 #    setvar:tx.error_anomaly_score=4,\
 #    setvar:tx.warning_anomaly_score=3,\
@@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.inbound_anomaly_score_threshold=5,\
 #    setvar:tx.outbound_anomaly_score_threshold=4"
 
@@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.reporting_level=4"
 
 
@@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.early_blocking=1"
 
 
@@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.enable_default_collections=1"
 
 
@@ -476,7 +476,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
 # Content-Types that a client is allowed to send in a request.
@@ -514,7 +514,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    nolog,\
 #    tag:'OWASP_CRS',\
 #    ctl:ruleRemoveById=920420,\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    chain"
 #    SecRule REQUEST_URI "@rx ^/foo/bar" \
 #        "t:none"
@@ -528,7 +528,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
 
 # Allowed HTTP versions.
@@ -544,7 +544,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Forbidden file extensions.
@@ -568,7 +568,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:'tx.restricted_extensions=.ani/ .application/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .ttf/ .url/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'"
 
 # Restricted request headers.
@@ -616,7 +616,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/'"
 #
 # [ Extended ]
@@ -642,7 +642,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
 # Content-Types charsets that a client is allowed to send in a request.
@@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
 
 #
@@ -687,7 +687,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.max_num_args=255"
 
 # Block request if the length of any argument name is too high
@@ -701,7 +701,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.arg_name_length=100"
 
 # Block request if the length of any argument value is too high
@@ -715,7 +715,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.arg_length=400"
 
 # Block request if the total length of all combined arguments is too high
@@ -729,7 +729,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.total_arg_length=64000"
 
 # Block request if the file size of any individual uploaded file is too high
@@ -743,7 +743,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.max_file_size=1048576"
 
 # Block request if the total size of all combined uploaded files is too high
@@ -757,7 +757,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.combined_file_sizes=1048576"
 
 
@@ -797,7 +797,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    pass,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.sampling_percentage=100"
 
 
@@ -818,7 +818,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.crs_validate_utf8_encoding=1"
 
 # -- [[ Skip Checking Responses ]] ------------------------------------------------
@@ -840,7 +840,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.13.0-dev',\
+#    ver:'OWASP_CRS/4.13.0',\
 #    setvar:tx.crs_skip_response_analysis=1"
 
 #
@@ -861,5 +861,5 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.13.0-dev',\
+    ver:'OWASP_CRS/4.13.0',\
     setvar:tx.crs_setup_version=4130"
@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.13.0-dev
+# OWASP CRS ver.4.13.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
 # Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`# ------------------------------------------------------------------------`
`2`		`-# OWASP CRS ver.4.13.0-dev`
	`2`	`+# OWASP CRS ver.4.13.0`
`3`	`3`	`# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.`
`4`	`4`	`# Copyright (c) 2021-2025 CRS project. All rights reserved.`
`5`	`5`	`#`