VDB

GO-2025-3537

GO-2025-3537 PUBLISHED

OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME` in github.com/corazawaf/coraza

Affected Products

VendorProductVersions
github.comcorazawaf/coraza/v20, 0
github.comjptosso/coraza-waf0, 0
github.comcorazawaf/coraza0, 0
github.comcorazawaf/coraza/v30, 0

Timeline

  • Mar 25, 2025 CVE Published
  • Mar 3, 2026 CVE Updated
  • May 1, 2026 Security Advisory

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›