Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-q9f5-625g-xm39

Опубликовано: 20 мар. 2025
Источник: github
Github: Прошло ревью
CVSS3: 5.4

Описание

OWASP Coraza WAF has parser confusion which leads to wrong URI in REQUEST_FILENAME

Summary

URLs starting with // are not parsed properly, and the request REQUEST_FILENAME variable contains a wrong value, leading to potential rules bypass.

Details

If a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php.

The root cause is the usage of url.Parse to parse the URI in ProcessURI.

url.Parse can parse both absolute URLs (starting with a scheme) or relative ones (just the path). //bar/uploads/foo.php is a valid absolute URI (the scheme is empty), url.Parse will consider bar as the host and the path will be set to /uploads/foo.php.

PoC

package main import ( "fmt" "net/url" "os" "github.com/corazawaf/coraza/v3" ) const testRule = ` SecDebugLogLevel 9 SecDebugLog /dev/stdout SecRule REQUEST_FILENAME "@rx /bar/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)" "id:1,phase:1,deny" ` func main() { var testURL = "//bar/uploads/foo.php" if os.Getenv("TEST_URL") != "" { testURL = os.Getenv("TEST_URL") } fmt.Printf("Testing URL: %s\n", testURL) config := coraza.NewWAFConfig().WithDirectives(testRule) waf, err := coraza.NewWAF(config) if err != nil { panic(err) } tx := waf.NewTransaction() tx.ProcessURI(testURL, "GET", "HTTP/1.1") in := tx.ProcessRequestHeaders() if in != nil { fmt.Printf("%+v\n", in) } }

Impact

Potential bypass of rules using REQUEST_FILENAME.

Ссылки

Пакеты

Наименование

github.com/jptosso/coraza-waf

go
Затронутые версииВерсия исправления

< 3.3.3

3.3.3

Наименование

github.com/corazawaf/coraza/v3

go
Затронутые версииВерсия исправления

< 3.3.3

3.3.3

EPSS

Процентиль: 30%
0.00112
Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2025-29914

Дефекты

CWE-706

Связанные уязвимости

nvd логотип

CVE-2025-29914

CVSS3: 5.4
nvd
11 месяцев назад

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php. This can lead to a rules bypass. This vulnerability is fixed in 3.3.3.

EPSS

Процентиль: 30%
0.00112
Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2025-29914

Дефекты

CWE-706