OWASP CRS Flaw Lets Encoded Attacks Slip Past WAFs

The OWASP Core Rule Set (CRS) is the de‑facto standard for hardening web applications at the firewall tier. By embedding a comprehensive library of detection rules, CRS enables ModSecurity and compatible WAFs to filter malicious traffic before it reaches vulnerable code. When a rule such as 922110 fails to evaluate every segment of a multipart request, the entire defensive premise collapses, allowing attackers to exploit legacy encodings like UTF‑7 that traditional filters miss. This incident highlights how even widely trusted rule sets can harbor subtle logic gaps that evade detection.

Technical analysis shows the flaw stems from the chained‑rule processing model used by ModSecurity. The rule validates only the last part of a multipart payload, so a malicious UTF‑7‑encoded script placed in an earlier segment passes unchecked while a benign UTF‑8 segment satisfies the rule’s condition. Because the WAF reports no violation, the request proceeds to the application layer, where the XSS payload can execute. With a CVSS 9.3 rating, the vulnerability is classified as critical, reflecting its remote exploitability, lack of authentication, and potential for widespread impact across any environment running the affected CRS versions.

Mitigation requires more than a simple patch. Organizations should immediately upgrade to CRS 4.22.0 or 3.3.8, verify that multipart inspection is fully enabled, and enforce UTF‑8‑only encoding at the server and application levels. Complementary controls—custom WAF rules, strict Content‑Security‑Policy headers, and robust input validation—provide defense‑in‑depth against encoding‑based evasion. The broader lesson is clear: reliance on "set‑and‑forget" security tools is risky. Continuous validation, regular rule updates, and a zero‑trust mindset that assumes breach are essential to maintaining resilient web‑application security.