Product
CrowdSec AppSec component fails to read the HTTP request body for chunked/HTTP-2 requests, leading to a bypass of WAF rules targeting `REQUEST_BODY`, `BODY_ARGS`, `ARGS_POST`, `JSON`, or `XML`, enabling unauthenticated remote attackers to evade body-inspection pipelines.