CVE-2025-29914

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-29914
OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php. This can lead to a rules bypass. This vulnerability is fixed in 3.3.3.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/corazawaf/coraza/commit/4722c9ad0d502abd56b8d6733c6b47eb4111742d
https://github.com/corazawaf/coraza/security/advisories/GHSA-q9f5-625g-xm39
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) OWASP Coraza WAF es una librería de firewall de aplicaciones web compatible con Golang Modsecurity. En versiones anteriores a la 3.3.3, si se realiza una solicitud en una URI que empieza por //, coraza asigna un valor incorrecto a REQUEST_FILENAME. Por ejemplo, si se asigna la URI //bar/uploads/foo.php?a=b a coraza:, REQUEST_FILENAME se asignará a /uploads/foo.php. Esto puede provocar la omisión de reglas. Esta vulnerabilidad se corrigió en la 3.3.3.

20 Mar 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-20 18:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-29914

Mitre link : CVE-2025-29914

CVE.ORG link : CVE-2025-29914

JSON object : View

Products Affected

No product.

CWE
CWE-706

Use of Incorrectly-Resolved Name or Reference