Coraza has potential denial of service vulnerability
Summary Due to the misuse of log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers. Details https://github.com/corazawaf/coraza/blob/82157f85f24c6107667bf0f686b71a72aafdf8a5/internal/bodyprocessors/multipart.go#L26-L29 The bodyprocessors of multipart uses log.Fatalf to handle errors from the mime.ParseMediaType, but log.Fatalf calls os.Exit directly after logging the error. https://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291 This means that the application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType. PoC The server can be demonstrated by https://github.com/corazawaf/coraza/tree/main/examples/http-server After …