We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-29914

OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`



Description

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php. This can lead to a rules bypass. This vulnerability is fixed in 3.3.3.

Reserved 2025-03-12 | Published 2025-03-20 | Updated 2025-03-20 | Assigner GitHub_M


MEDIUM: 5.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-706: Use of Incorrectly-Resolved Name or Reference

Product status

< 3.3.3
affected

References

github.com/...coraza/security/advisories/GHSA-q9f5-625g-xm39

github.com/...ommit/4722c9ad0d502abd56b8d6733c6b47eb4111742d

cve.org (CVE-2025-29914)

nvd.nist.gov (CVE-2025-29914)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-29914

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.