CVE-2026-44982 7.2 HIGH

The CrowdSec AppSec component is vulnerable to a Protection Mechanism Failure in versions 1.5.0 through 1.7.7. The function NewParsedRequestFromRequest in pkg/appsec/request.go sizes the body buffer with max(r.ContentLength, 0). Go's net/http sets r.ContentLength to -1 for any request whose framing does not carry a positive content-length, which covers HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests sent without a content-length header. For those requests the body buffer is allocated at zero length and io.ReadFull reads zero bytes successfully, so the request body is discarded before Coraza ever sees it. Every WAF rule targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON or XML evaluates against an empty body and silently fails to match. Version 1.7.8 replaces the buffer-sizing logic with a readRequestBody helper that reads up to a configurable maximum and applies an oversize action.

An unauthenticated remote attacker bypasses the entire AppSec body-inspection pipeline by switching a single framing header on an otherwise-malicious request (sending it as Transfer-Encoding: chunked or over HTTP/2 with no content-length). Body-scanning rules that would have flagged SQL injection, command injection, deserialisation payloads, JSON or XML attacks no longer fire. Because Coraza receives an empty body, the bypassed request leaves no WAF log entry and looks like a clean request in operator dashboards. The protected origin is exposed to whatever underlying vulnerability the WAF was meant to block.