The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match.
This issue has been patched in versions 3.3.9 and 4.25.0.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products
coreruleset:coreruleset
References 8
https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79…
security-advisories@github.com
https://github.com/coreruleset/coreruleset/pull/4546
security-advisories@github.com
https://github.com/coreruleset/coreruleset/pull/4547
security-advisories@github.com
https://github.com/coreruleset/coreruleset/pull/4548
security-advisories@github.com
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9
security-advisories@github.com
https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0
security-advisories@github.com
https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-g…
security-advisories@github.com
http://www.openwall.com/lists/oss-security/2026/03/29/2
af854a3a-2127-422b-91ae-364da2661108