New CVE Detections

Cloudflare has rolled out proactive WAF rules to defend against two newly disclosed vulnerabilities affecting widely-used software:

CVE-2025-68645 (Zimbra LFI): A local file inclusion vulnerability in Zimbra Collaboration Suite versions 10.0 and 10.1 allows unauthenticated attackers to craft malicious requests to the /h/rest endpoint. By exploiting improper internal dispatching logic, attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive configuration, credentials, and user data.

CVE-2025-31125 (Vite Path Traversal): Vite's JavaScript development server exposes non-allowed files when accessed with specific ?inline&import query parameters on network-exposed instances. This enables unauthorized file reads and can leak sensitive information including source code and environment variables.

Rule Changes

Two new rules have been added to the Cloudflare Managed Ruleset with immediate blocking enabled:

• Zimbra Rule (ID: ...833761f7): Detects Local File Inclusion attempts against the Zimbra /h/rest endpoint. Previous action was Log; now set to Block.
• Vite Rule (ID: ...950ed8c8): Detects WASM import path traversal attempts against Vite servers. Previous action was Log; now set to Block.

Action Items

• Existing WAF-enabled domains will automatically receive these protections
• Review your WAF logs to identify any legitimate traffic affected by the new blocking rules
• Consider upgrading vulnerable Zimbra instances (ZCS 10.0/10.1) and ensure Vite development servers are not exposed to untrusted networks