GHSA-RW47-HM26-6WR7

Vulnerability from github – Published: 2026-05-27 19:58 – Updated: 2026-05-27 19:58
VLAI
Summary
CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests
Details

Summary

The CrowdSec AppSec component fails to read the HTTP request body for any request whose Content-Length is not positive — most notably HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests sent without a content-length header. Coraza is then evaluated against an empty body, so every WAF rule targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML silently fails to match.

An unauthenticated remote attacker can bypass the entire AppSec body-inspection pipeline by changing a single framing header on an otherwise-malicious request. The bypassed request is forwarded as allow and produces no WAF log entry.

Affected versions

  • github.com/crowdsecurity/crowdsec — all releases up to and including v1.7.7.

Affected component

pkg/appsec/request.go, function NewParsedRequestFromRequest.

Root cause

func NewParsedRequestFromRequest(r *http.Request, logger *log.Entry) (ParsedRequest, error) {
    var err error
    contentLength := max(r.ContentLength, 0)
    body := make([]byte, contentLength)
    if r.Body != nil {
        _, err = io.ReadFull(r.Body, body)
        if err != nil {
            return ParsedRequest{}, fmt.Errorf("unable to read body: %s", err)
        }
        r.Body = io.NopCloser(bytes.NewBuffer(body))
    }
    ...
}

Go's net/http server sets r.ContentLength = -1 when the request uses Transfer-Encoding: chunked with no Content-Length header, or when an HTTP/2 request omits the content-length pseudo-header (DATA-frame-only body). With ContentLength == -1:

  1. max(-1, 0) evaluates to 0.
  2. make([]byte, 0) allocates a zero-length slice.
  3. io.ReadFull on a zero-length buffer needs zero bytes and returns immediately without touching r.Body.
  4. The empty buffer is written back onto the request and onto the cloned request constructed later in the same function.

Every downstream consumer then sees an empty body. In the AppSec runner, WriteRequestBody is skipped because the parsed body has zero length, and ProcessRequestBody runs against nothing.

Impact

Every body-scanning rule is bypassed for any request whose framing makes Content-Length non-positive. In default CrowdSec deployments using the standard AppSec collections, the bypass affects any rule with zones containing BODY_ARGS, JSON, XML, REQUEST_BODY, or ARGS_POST.

No configuration option mitigates the issue — the defect is in the request parser, not in any ruleset. Bypassed requests do not produce a WAF log entry, so operators have no signal that rules are being skipped.

Header-only and URI-only rules are unaffected.

Workarounds

No complete workaround is available.

Severity
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/crowdsecurity/crowdsec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.7.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T19:58:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe CrowdSec AppSec component fails to read the HTTP request body for any request whose `Content-Length` is not positive \u2014 most notably HTTP/1.1 requests using `Transfer-Encoding: chunked` and HTTP/2 requests sent without a `content-length` header. Coraza is then evaluated against an empty body, so every WAF rule targeting `REQUEST_BODY`, `BODY_ARGS`, `ARGS_POST`, `JSON`, or `XML` silently fails to match.\n\nAn unauthenticated remote attacker can bypass the entire AppSec body-inspection pipeline  by changing a single framing header on an otherwise-malicious request. The bypassed request is forwarded as `allow` and produces no WAF log entry.\n\n## Affected versions\n\n- `github.com/crowdsecurity/crowdsec` \u2014 all releases up to and including **v1.7.7**.\n\n## Affected component\n\n`pkg/appsec/request.go`, function `NewParsedRequestFromRequest`.\n\n## Root cause\n\n```go\nfunc NewParsedRequestFromRequest(r *http.Request, logger *log.Entry) (ParsedRequest, error) {\n    var err error\n    contentLength := max(r.ContentLength, 0)\n    body := make([]byte, contentLength)\n    if r.Body != nil {\n        _, err = io.ReadFull(r.Body, body)\n        if err != nil {\n            return ParsedRequest{}, fmt.Errorf(\"unable to read body: %s\", err)\n        }\n        r.Body = io.NopCloser(bytes.NewBuffer(body))\n    }\n    ...\n}\n```\n\nGo\u0027s `net/http` server sets `r.ContentLength = -1` when the request uses `Transfer-Encoding: chunked` with no `Content-Length` header, or when an HTTP/2 request omits the `content-length` pseudo-header (DATA-frame-only body). With `ContentLength == -1`:\n\n1. `max(-1, 0)` evaluates to `0`.\n2. `make([]byte, 0)` allocates a zero-length slice.\n3. `io.ReadFull` on a zero-length buffer needs zero bytes and returns immediately without touching `r.Body`.\n4. The empty buffer is written back onto the request and onto the cloned request constructed later in the same function.\n\nEvery downstream consumer then sees an empty body. In the AppSec runner, `WriteRequestBody` is skipped because the parsed body has zero length, and `ProcessRequestBody` runs against nothing.\n\n## Impact\n\nEvery body-scanning rule is bypassed for any request whose framing makes `Content-Length` non-positive. In default CrowdSec deployments using the standard AppSec collections, the bypass affects any rule with `zones` containing `BODY_ARGS`, `JSON`, `XML`, `REQUEST_BODY`, or `ARGS_POST`.\n\nNo configuration option mitigates the issue \u2014 the defect is in the request parser, not in any ruleset. Bypassed requests do not produce a WAF log entry, so operators have no signal that rules are being skipped.\n\nHeader-only and URI-only rules are unaffected.\n\n## Workarounds\n\nNo complete workaround is available.",
  "id": "GHSA-rw47-hm26-6wr7",
  "modified": "2026-05-27T19:58:15Z",
  "published": "2026-05-27T19:58:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/crowdsecurity/crowdsec/security/advisories/GHSA-rw47-hm26-6wr7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/crowdsecurity/crowdsec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.