Headline
GHSA-q9f5-625g-xm39: OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`
Summary
URLs starting with // are not parsed properly, and the request REQUEST_FILENAME variable contains a wrong value, leading to potential rules bypass.
Details
If a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME.
For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php.
The root cause is the usage of url.Parse to parse the URI in ProcessURI.
url.Parse can parse both absolute URLs (starting with a scheme) or relative ones (just the path).
//bar/uploads/foo.php is a valid absolute URI (the scheme is empty), url.Parse will consider bar as the host and the path will be set to /uploads/foo.php.
PoC
package main
import (
"fmt"
"net/url"
"os"
"github.com/corazawaf/coraza/v3"
)
const testRule = `
SecDebugLogLevel 9
SecDebugLog /dev/stdout
SecRule REQUEST_FILENAME "@rx /bar/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)" "id:1,phase:1,deny"
`
func main() {
var testURL = "//bar/uploads/foo.php"
if os.Getenv("TEST_URL") != "" {
testURL = os.Getenv("TEST_URL")
}
fmt.Printf("Testing URL: %s\n", testURL)
config := coraza.NewWAFConfig().WithDirectives(testRule)
waf, err := coraza.NewWAF(config)
if err != nil {
panic(err)
}
tx := waf.NewTransaction()
tx.ProcessURI(testURL, "GET", "HTTP/1.1")
in := tx.ProcessRequestHeaders()
if in != nil {
fmt.Printf("%+v\n", in)
}
}
Impact
Potential bypass of rules using REQUEST_FILENAME.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-29914
OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`
Moderate severity GitHub Reviewed Published Mar 20, 2025 in corazawaf/coraza • Updated Mar 20, 2025
Package
gomod github.com/corazawaf/coraza/v3 (Go)
Affected versions
< 3.3.3
gomod github.com/jptosso/coraza-waf (Go)
Summary
URLs starting with // are not parsed properly, and the request REQUEST_FILENAME variable contains a wrong value, leading to potential rules bypass.
Details
If a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME.
For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php.
The root cause is the usage of url.Parse to parse the URI in ProcessURI.
url.Parse can parse both absolute URLs (starting with a scheme) or relative ones (just the path).
//bar/uploads/foo.php is a valid absolute URI (the scheme is empty), url.Parse will consider bar as the host and the path will be set to /uploads/foo.php.
PoC
package main
import ( “fmt” “net/url” “os”
"github.com/corazawaf/coraza/v3"
)
const testRule = ` SecDebugLogLevel 9 SecDebugLog /dev/stdout SecRule REQUEST_FILENAME "@rx /bar/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)" “id:1,phase:1,deny” `
func main() { var testURL = “//bar/uploads/foo.php”
if os.Getenv("TEST\_URL") != "" {
testURL \= os.Getenv("TEST\_URL")
}
fmt.Printf("Testing URL: %s\\n", testURL)
config := coraza.NewWAFConfig().WithDirectives(testRule)
waf, err := coraza.NewWAF(config)
if err != nil {
panic(err)
}
tx := waf.NewTransaction()
tx.ProcessURI(testURL, "GET", "HTTP/1.1")
in := tx.ProcessRequestHeaders()
if in != nil {
fmt.Printf("%+v\\n", in)
}
}
Impact
Potential bypass of rules using REQUEST_FILENAME.
References
- GHSA-q9f5-625g-xm39
- https://nvd.nist.gov/vuln/detail/CVE-2025-29914
- corazawaf/coraza@4722c9a
Published to the GitHub Advisory Database
Mar 20, 2025
Last updated
Mar 20, 2025