Title: Monthly Chat Agenda November 2025 (2025-11-03)

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2025-11-03, at 20:30 CET (CEST during summer in the Northern Hemisphere). That's the 1st Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

Inside development

Rules

CRS Sandbox

• Updated to latest v4.20.0

Security

• No news here

Plugins

• New plugin: https://github.com/coreruleset/false-positive-report-plugin

Documentation and Public Relations

• @fzipi met with Jerry Hoff for the appsec.fm podcast talking about the OWASP CRS project (To be published).

Project Administration and Sponsor relationships

• No news on this front.

Tools

Testing incl. Seaweed and many future plans

• No news here.

Containers

• FIXME: Please fill in

Project discussions and decisions

• Moving rule 941120 from PL2 to PL1
• In rule 932290(PR #3813), should we add a stricter sibling for the rule detecting quoted words?
• https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project/c/na7KW9gXXOg/m/tOT5irxLAwAJ

Rules development, key project numbers

PRs that have been merged since the last meeting

• chore: post-release v4.21.0-dev #4314
• chore: release v4.20.0 #4313
• fix(942160): updating regex to deal with new payloads #4292
• feat: add expect header to list of restricted headers #4298
• fix(932240): reduce false positive matches with json payloads #4290
• fix(942560): missing capture keyword #4285
• chore: update SECRULES_PARSING_VERSION to 0.2.12 #4310
• feat(930120): adding conf file for PrestaShop 1.6 / 1.7 / 8+ & Magento 2 #4303
• fix: make sure that the PR template is being shown #4309
• fix(942550): partial revert - too high risk of false positive #4284
• fix(921180, 921210, 921220): should be block not pass #4294
• fix(932281): reduce false positive matches with json payload #4288
• feat: update restricted file extensions #4287
• chore(deps): update owasp/modsecurity-crs:apache docker digest to 2c61e50 in tests/docker-compose.yml #4279
• chore(deps): update owasp/modsecurity-crs:nginx docker digest to 3b6edff in tests/docker-compose.yml #4280

We merged 15 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

• chore(deps): update ghcr.io/coreruleset/albedo docker tag to v0.3.0 in tests/docker-compose.yml #4311
• chore(deps): update owasp/modsecurity-crs:nginx docker digest to de73971 in tests/docker-compose.yml #4296
• chore(deps): update owasp/modsecurity-crs:apache docker digest to b18eed0 in tests/docker-compose.yml #4295
• chore: add quant as comment #3925
• feat: update restricted files and file extensions #4299
• fix(931130): Isolating 2-chars sequence with high risk of false positive on high entropy input #4304
• fix(942431): reduce false positive #4305
• fix(932205): remove dot star #4168
• feat: add 920630 to prevent fingerprinting #4297
• fix(942431): updated regex pattern to NOT include non-ascii characters #4307
• feat: add 921500 - Nonstandard urlencode characters in path #4302
• fix(942360): update sqli payloads #4238
• feat: added detection for quote evasion #3813
• fix(932130): use lazy regex #3730
• fix(942200): False Positive #4236
• fix(942420): Clarify false positives and exclusions for SQLI rule #4293
• fix(941120): new regex is eligible for Paranoia Level 1 #4291
• fix(932180): avoid false positives #4282
• fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
• fix: add separate rule to match unix commands with no arguments #4273
• fix(934140): update perl interpolation regex #4250
• feat: updated unix shell builtins #4271
• chore: 920190 bypass #4278
• fix: remove non-unix commands from unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932237 PL-3) #4247

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.