CVE-2025-29914
5.40.10%
The Double-Slash Deception: Bypassing Coraza WAF with RFC Compliance
Amit Schendel
Senior Security ResearcherJan 6, 2026·6 min read·15 visits
PoC Available
Executive Summary (TL;DR)
Coraza WAF treated URIs starting with `//` as protocol-relative URLs, interpreting the first path segment as a hostname. This caused the WAF to effectively 'delete' the first directory from the path it inspected (e.g., `//admin` became a host named `admin` with an empty path), allowing attackers to bypass Access Control Lists (ACLs) while the backend server still normalized and served the sensitive path.
A parser logic discrepancy in OWASP Coraza WAF allows attackers to bypass path-based security rules using double slashes in the URI, exploiting Go's standard URL parsing behavior.
Fix Analysis (1)
Technical Appendix
CVSS Score
5.4/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NEPSS Probability
0.10%
Top 100% most exploited
Affected Systems
OWASP Coraza WAF < 3.3.3Go applications using Coraza as a libraryCaddy with Coraza WAF module (older versions)Traefik with Coraza middleware (older versions)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Coraza WAF OWASP | < 3.3.3 | 3.3.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-706 (Incorrectly-Resolved Name) |
| Attack Vector | Network (HTTP) |
| CVSS v3.1 | 5.4 (Medium) |
| Impact | Security Bypass / ACL Evasion |
| Exploit Status | PoC Available |
| Language | Go (Golang) |
MITRE ATT&CK Mapping
CWE-706
Use of Incorrectly-Resolved Name or Reference
The software uses a name or reference that resolves to a resource different from the intended one, leading to incorrect authorization decisions.
Known Exploits & Detection
Vulnerability Timeline
Internal discovery of URI normalization issues
2025-01-09
Fix committed to repository
2025-03-17
Coraza v3.3.3 released and Advisory Published
2025-03-20