Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from Vendor (https://github.com/crowdsecurity/crowdsec) · only source for this CVE.
CVSS VectorVendor: https://github.com/crowdsecurity/crowdsec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
The CrowdSec AppSec component fails to read the HTTP request body for any request whose Content-Length is not positive - most notably HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests sent without a content-length header. Coraza is then evaluated against an empty body, so every WAF rule targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML silently fails to match.
An unauthenticated remote attacker can bypass the entire AppSec body-inspection pipeline by changing a single framing header on an otherwise-malicious request. The bypassed request is forwarded as allow and produces no WAF log entry.
Affected versions
github.com/crowdsecurity/crowdsec- all releases up to and including v1.7.7.
Affected component
pkg/appsec/request.go, function NewParsedRequestFromRequest.
Root cause
func NewParsedRequestFromRequest(r *http.Request, logger *log.Entry) (ParsedRequest, error) {
var err error
contentLength := max(r.ContentLength, 0)
body := make([]byte, contentLength)
if r.Body != nil {
_, err = io.ReadFull(r.Body, body)
if err != nil {
return ParsedRequest{}, fmt.Errorf("unable to read body: %s", err)
}
r.Body = io.NopCloser(bytes.NewBuffer(body))
}
...
}Go's net/http server sets r.ContentLength = -1 when the request uses Transfer-Encoding: chunked with no Content-Length header, or when an HTTP/2 request omits the content-length pseudo-header (DATA-frame-only body). With ContentLength == -1:
max(-1, 0)evaluates to0.make([]byte, 0)allocates a zero-length slice.io.ReadFullon a zero-length buffer needs zero bytes and returns immediately without touchingr.Body.- The empty buffer is written back onto the request and onto the cloned request constructed later in the same function.
Every downstream consumer then sees an empty body. In the AppSec runner, WriteRequestBody is skipped because the parsed body has zero length, and ProcessRequestBody runs against nothing.
Impact
Every body-scanning rule is bypassed for any request whose framing makes Content-Length non-positive. In default CrowdSec deployments using the standard AppSec collections, the bypass affects any rule with zones containing BODY_ARGS, JSON, XML, REQUEST_BODY, or ARGS_POST.
No configuration option mitigates the issue - the defect is in the request parser, not in any ruleset. Bypassed requests do not produce a WAF log entry, so operators have no signal that rules are being skipped.
Header-only and URI-only rules are unaffected.
Workarounds
No complete workaround is available.
AnalysisAI
Web application firewall body-inspection bypass in CrowdSec (the AppSec component, versions 1.5.0 through 1.7.7) lets unauthenticated remote attackers slip malicious payloads past every body-scanning WAF rule. When a request uses HTTP/1.1 'Transfer-Encoding: chunked' or HTTP/2 without a content-length, the parser treats the body as empty, so rules matching REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML silently fail and the request is forwarded as 'allow' with no WAF log entry. There is no public exploit identified at time of analysis and no KEV listing, but the trigger is trivial - flipping a single framing header - making this a high-confidence protection-mechanism failure rather than a memory-safety bug.
Technical ContextAI
CrowdSec's AppSec is a WAF layer built on the Coraza engine (an OWASP ModSecurity-compatible rule engine written in Go). The defect lives in pkg/appsec/request.go, function NewParsedRequestFromRequest, which prepares the parsed request that Coraza inspects. Go's net/http sets r.ContentLength = -1 for chunked HTTP/1.1 bodies and for HTTP/2 DATA-frame bodies lacking a content-length pseudo-header. The code does contentLength := max(r.ContentLength, 0), so -1 collapses to 0, make([]byte, 0) yields a zero-length buffer, and io.ReadFull returns immediately without ever draining r.Body. That empty buffer is written back onto both the request and its later clone, so WriteRequestBody is skipped and ProcessRequestBody runs against nothing. This maps to CWE-693 (Protection Mechanism Failure): the security control is present but rendered ineffective by an input-handling flaw, not by an attacker defeating any specific signature check.
RemediationAI
Vendor-released patch: 1.7.8 - upgrade CrowdSec to v1.7.8 or later, which is the only complete fix since the defect is in the request parser and the vendor explicitly states no configuration option or ruleset change mitigates it and no complete workaround is available. As partial compensating controls until the upgrade lands, you can terminate and normalize requests at an upstream proxy that buffers chunked and HTTP/2 bodies and re-emits them with an accurate Content-Length before they reach AppSec (trade-off: adds a hop, buffers full bodies in memory and adds latency, and only helps if that proxy reliably rewrites framing), and you can alert on an anomalous absence of WAF body-rule hits against endpoints that accept POST/JSON/XML traffic (trade-off: detection only, not prevention, and the bypass produces no WAF log entry by design). Refer to the advisory at https://github.com/crowdsecurity/crowdsec/security/advisories/GHSA-rw47-hm26-6wr7 for vendor guidance.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45023
GHSA-rw47-hm26-6wr7