Medium severity5.4OSV Advisory· Published Mar 20, 2025· Updated Apr 15, 2026
CVE-2025-29914
CVE-2025-29914
Description
OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php. This can lead to a rules bypass. This vulnerability is fixed in 3.3.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jptosso/coraza-wafGo | < 3.3.3 | 3.3.3 |
github.com/corazawaf/coraza/v3Go | < 3.3.3 | 3.3.3 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/corazawaf/coraza/v3pkg:golang/github.com/jptosso/coraza-wafpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 3.3.3+ 2 more
- (no CPE)range: < 3.3.3
- (no CPE)range: < 3.3.3
- (no CPE)range: < 0.0.20250327T184518-1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.