{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/appsec/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CrowdSec AppSec"],"_cs_severities":["high"],"_cs_tags":["waf-bypass","appsec","web-application"],"_cs_type":"advisory","_cs_vendors":["CrowdSec"],"content_html":"\u003cp\u003eThe CrowdSec AppSec component, up to version 1.7.7, contains a flaw in its request parsing logic. Specifically, the component fails to correctly read the HTTP request body when the \u003ccode\u003eContent-Length\u003c/code\u003e header is not positive, such as when using \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e in HTTP/1.1 or when the \u003ccode\u003econtent-length\u003c/code\u003e header is omitted in HTTP/2 requests. This results in Coraza, the underlying WAF engine, evaluating rules against an empty request body. This issue allows an unauthenticated remote attacker to bypass WAF rules designed to inspect request bodies, potentially leading to successful exploitation of vulnerabilities that would otherwise be blocked. Because bypassed requests do not produce a WAF log entry, defenders lack visibility into these bypass attempts. The vulnerability affects any rule with \u003ccode\u003ezones\u003c/code\u003e containing \u003ccode\u003eBODY_ARGS\u003c/code\u003e, \u003ccode\u003eJSON\u003c/code\u003e, \u003ccode\u003eXML\u003c/code\u003e, \u003ccode\u003eREQUEST_BODY\u003c/code\u003e, or \u003ccode\u003eARGS_POST\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP request designed to exploit a vulnerability that requires sending a malicious payload in the request body.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eTransfer-Encoding\u003c/code\u003e header to \u003ccode\u003echunked\u003c/code\u003e (HTTP/1.1) or omits the \u003ccode\u003econtent-length\u003c/code\u003e header entirely (HTTP/2).\u003c/li\u003e\n\u003cli\u003eThe malicious request is sent to a server protected by CrowdSec AppSec.\u003c/li\u003e\n\u003cli\u003eCrowdSec AppSec\u0026rsquo;s \u003ccode\u003eNewParsedRequestFromRequest\u003c/code\u003e function incorrectly parses the request body, resulting in an empty body being passed to the WAF engine.\u003c/li\u003e\n\u003cli\u003eThe WAF engine evaluates the rules against the empty body, causing all rules targeting \u003ccode\u003eREQUEST_BODY\u003c/code\u003e, \u003ccode\u003eBODY_ARGS\u003c/code\u003e, \u003ccode\u003eARGS_POST\u003c/code\u003e, \u003ccode\u003eJSON\u003c/code\u003e, or \u003ccode\u003eXML\u003c/code\u003e to fail to match.\u003c/li\u003e\n\u003cli\u003eThe malicious request bypasses the WAF\u0026rsquo;s body-inspection pipeline entirely.\u003c/li\u003e\n\u003cli\u003eThe bypassed request is forwarded to the backend server.\u003c/li\u003e\n\u003cli\u003eThe backend server processes the malicious request, potentially leading to successful exploitation of the underlying vulnerability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass the body-inspection pipeline of CrowdSec AppSec. This bypass can lead to successful exploitation of vulnerabilities that rely on sending malicious data within the request body. Given the wide adoption of CrowdSec for application security, a significant number of systems are potentially affected. The absence of WAF log entries for bypassed requests further complicates detection and incident response. In default CrowdSec deployments using the standard AppSec collections, this bypass will affect a large number of deployed rulesets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a CrowdSec version greater than 1.7.7 to patch CVE-2026-44982.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CrowdSec AppSec WAF Bypass via Missing Content-Length\u003c/code\u003e to detect requests that may be attempting to exploit this bypass by monitoring HTTP status codes combined with \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e headers in web server logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CrowdSec AppSec WAF Bypass via HTTP/2 request without Content-Length\u003c/code\u003e to detect requests that may be attempting to exploit this bypass by monitoring HTTP/2 traffic and absence of content-length.\u003c/li\u003e\n\u003cli\u003eExamine webserver logs for unexpected \u0026ldquo;200 OK\u0026rdquo; responses to requests with large bodies sent using chunked transfer encoding.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T19:59:39Z","date_published":"2026-05-27T19:59:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-crowdsec-appsec-waf-bypass/","summary":"CrowdSec AppSec component fails to read the HTTP request body for chunked/HTTP-2 requests, leading to a bypass of WAF rules targeting `REQUEST_BODY`, `BODY_ARGS`, `ARGS_POST`, `JSON`, or `XML`, enabling unauthenticated remote attackers to evade body-inspection pipelines.","title":"CrowdSec AppSec WAF Bypass via Chunked/HTTP-2 Requests","url":"https://feed.craftedsignal.io/briefs/2026-05-crowdsec-appsec-waf-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Appsec","version":"https://jsonfeed.org/version/1.1"}