CVE-2025-29914
📋 TL;DR
CVE-2025-29914 is a path normalization vulnerability in OWASP Coraza WAF where requests starting with double slashes (//) cause incorrect REQUEST_FILENAME variable assignment. This allows attackers to bypass security rules by manipulating URI paths. Organizations using Coraza WAF versions before 3.3.3 are affected.
💻 Affected Systems
- OWASP Coraza WAF
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete WAF bypass enabling successful exploitation of underlying web application vulnerabilities (SQL injection, XSS, RCE) that would normally be blocked.
Likely Case
Partial WAF bypass allowing some attacks to evade detection while others are still caught, depending on rule specificity.
If Mitigated
Limited impact with proper defense-in-depth controls including additional security layers and input validation.
🎯 Exploit Status
Exploitation requires sending specially crafted URIs starting with // to bypass path-based rules.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.3
Vendor Advisory: https://github.com/corazawaf/coraza/security/advisories/GHSA-q9f5-625g-xm39
Restart Required: Yes
Instructions:
1. Update Coraza WAF to version 3.3.3 or later. 2. Restart the WAF service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Rule
allAdd custom rule to reject requests starting with double slashes
SecRule REQUEST_URI "^//" "id:1000,phase:1,deny,status:400,msg:'Double slash path manipulation attempt'"
SecRule REQUEST_FILENAME "@rx ^//" "id:1001,phase:1,deny,status:400,msg:'Double slash path manipulation attempt'"
SecRule REQUEST_URI_RAW "^//" "id:1002,phase:1,deny,status:400,msg:'Double slash path manipulation attempt'"
🧯 If You Can't Patch
- Implement additional WAF or reverse proxy layer with proper path normalization
- Add application-level input validation to reject malformed URIs
🔍 How to Verify
Check if Vulnerable:
Test by sending a request with URI starting with // and checking if REQUEST_FILENAME variable is incorrectly normalizedCheck Version:
coraza --version or check go.mod for coraza versionVerify Fix Applied:
After patching, test with same // request and verify REQUEST_FILENAME shows correct value📡 Detection & Monitoring
Log Indicators:
- Requests with URIs starting with //
- WAF rule bypass events
- Unexpected successful attacks that should be blocked
Network Indicators:
- HTTP requests with // in path
- Increased attack success rates
SIEM Query:
http.uri="//*" OR http.request.uri="//*"