CVE-2026-33691: OWASP CRS whitespace padding bypass vulnerability

3 points

2 months ago

a vulnerability was identified in OWASP CRS where whitespace padding in filenames can bypass file upload extension checks, allowing uploads of dangerous files such as .php, .phar, .jsp, and .jspx. This issue has been assigned CVE‑2026‑33691.

Impact: Attackers may evade CRS protections and upload web shells disguised with whitespace‑padded extensions. Exploitation is most practical on Windows backends that normalize whitespace in filenames before execution, In linux harder because it require a backend that use like `.strip()` and `.trim()` and other whitespace trimming methods depending on the language here vulnerable to that or the webserver strip whitespaces or the backend on general, If not they not vulnerable to that.

Fix: Patched in CRS v3.3.9, v4.25.x LTS, and v4.8.x. Security fixes are always backported to supported branches.

References:

Full advisory: https://github.com/coreruleset/coreruleset/security/advisori...

Credits: Reported by RelunSec (aka @HackingRepo on Github).