DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-29914: The Double-Slash Deception: Bypassing Coraza WAF with RFC Compliance

#security #cve #cybersecurity #ghsa

The Double-Slash Deception: Bypassing Coraza WAF with RFC Compliance

Vulnerability ID: CVE-2025-29914
CVSS Score: 5.4
Published: 2025-03-20

A parser logic discrepancy in OWASP Coraza WAF allows attackers to bypass path-based security rules using double slashes in the URI, exploiting Go's standard URL parsing behavior.

TL;DR

Coraza WAF treated URIs starting with // as protocol-relative URLs, interpreting the first path segment as a hostname. This caused the WAF to effectively 'delete' the first directory from the path it inspected (e.g., //admin became a host named admin with an empty path), allowing attackers to bypass Access Control Lists (ACLs) while the backend server still normalized and served the sensitive path.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-706 (Incorrectly-Resolved Name)
  • Attack Vector: Network (HTTP)
  • CVSS v3.1: 5.4 (Medium)
  • Impact: Security Bypass / ACL Evasion
  • Exploit Status: PoC Available
  • Language: Go (Golang)

Affected Systems

  • OWASP Coraza WAF < 3.3.3
  • Go applications using Coraza as a library
  • Caddy with Coraza WAF module (older versions)
  • Traefik with Coraza middleware (older versions)
  • Coraza WAF: < 3.3.3 (Fixed in: 3.3.3)

Code Analysis

Commit: 4722c9a

fix: use ParseRequestURI to properly handle double slashes

- parsedURL, err := url.Parse(uri)
+ parsedURL, err := url.ParseRequestURI(uri)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Send request to //target-path to bypass rules starting with /target-path

Mitigation Strategies

  • Dependency Update
  • Input Normalization
  • Defense in Depth

Remediation Steps:

  1. Update the Go module: go get github.com/corazawaf/coraza/v3@v3.3.3
  2. Rebuild and redeploy any applications embedding the Coraza library.
  3. Verify upstream proxies (Nginx/HAProxy) are configured to merge multiple slashes.
  4. Audit WAF rules to ensure they do not rely solely on prefix matching if normalization is not guaranteed.

References

Read the full report for CVE-2025-29914 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)