OWASP CRS v4.25.0 LTS Released — First Long-Term Support for CRS 4
16 views
Skip to first unread message
Felipe Zipitria
Mar 29, 2026, 10:34:24 AM (4 days ago) Mar 29
to OWASP CRS project
Hi all,
We are happy to announce the release of CRS v4.25.0, the first Long-Term Support (LTS) release for the CRS 4 series.
This is the release we recommend for organizations that want a stable foundation with security patches and critical bug fixes — without tracking our rapid development cycle. If you have been waiting for a stability signal to migrate from CRS 3.3.x, this is it.
Key highlights:
- The v4.25.x LTS branch will receive security fixes until Q3 2027.
- A formal Backport Policy defines exactly what gets cherry-picked into the LTS: security fixes, regression fixes, critical PL1 false positive fixes, and engine compatibility fixes. New rules, features, and refactoring are never backported.
- LTS point releases follow a quarterly cadence, with out-of-band releases for security issues.
- Docker images are available for both ModSecurity and Coraza containers with 4.25-lts tags.
- The Security Policy has been updated to reflect LTS support alongside the two latest stable releases.
We applied lessons from the CRS 3.3 maintenance experience: there is a single lts/v4.25.x branch (no dev/master split), strict cherry-pick discipline with traceability, frozen CI pipelines, and mandatory cross-review for every backport.
Full details, download instructions, and Docker image tags are in the blog post:
https://coreruleset.org/20260321/announcing-crs-v4-25-lts/
Direct download:
https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.25.0.tar.gz
Development on main continues at full speed — new rules, detections, and toolchain improvements will keep shipping in regular stable releases. We are also preparing the migration to crslang, which will start the process for our next major release. More on that soon.
Maintaining an LTS line is a significant investment for an open-source project. We are grateful to our sponsors and welcome organizations that depend on CRS to consider supporting the LTS initiative. Reach out to felipe....@owasp.org if interested.
Thanks to all contributors and the OWASP CRS community for making this milestone possible.
Best regards,
Felipe Zipitría
On behalf of the OWASP CRS Team
We are happy to announce the release of CRS v4.25.0, the first Long-Term Support (LTS) release for the CRS 4 series.
This is the release we recommend for organizations that want a stable foundation with security patches and critical bug fixes — without tracking our rapid development cycle. If you have been waiting for a stability signal to migrate from CRS 3.3.x, this is it.
Key highlights:
- The v4.25.x LTS branch will receive security fixes until Q3 2027.
- A formal Backport Policy defines exactly what gets cherry-picked into the LTS: security fixes, regression fixes, critical PL1 false positive fixes, and engine compatibility fixes. New rules, features, and refactoring are never backported.
- LTS point releases follow a quarterly cadence, with out-of-band releases for security issues.
- Docker images are available for both ModSecurity and Coraza containers with 4.25-lts tags.
- The Security Policy has been updated to reflect LTS support alongside the two latest stable releases.
We applied lessons from the CRS 3.3 maintenance experience: there is a single lts/v4.25.x branch (no dev/master split), strict cherry-pick discipline with traceability, frozen CI pipelines, and mandatory cross-review for every backport.
Full details, download instructions, and Docker image tags are in the blog post:
https://coreruleset.org/20260321/announcing-crs-v4-25-lts/
Direct download:
https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.25.0.tar.gz
Development on main continues at full speed — new rules, detections, and toolchain improvements will keep shipping in regular stable releases. We are also preparing the migration to crslang, which will start the process for our next major release. More on that soon.
Maintaining an LTS line is a significant investment for an open-source project. We are grateful to our sponsors and welcome organizations that depend on CRS to consider supporting the LTS initiative. Reach out to felipe....@owasp.org if interested.
Thanks to all contributors and the OWASP CRS community for making this milestone possible.
Best regards,
Felipe Zipitría
On behalf of the OWASP CRS Team
Reply all
Reply to author
Forward
0 new messages