Advisories for Golang/Github.com/Crowdsecurity/Crowdsec package

The LAPI router uses gin-contrib/gzip with DefaultDecompressHandle globally (pkg/apiserver/controllers/controller.go). This middleware decompresses incoming request bodies without enforcing a maximum decompressed size. The endpoints /v1/watchers or /v1/watchers/login require no authentication. An attacker can send small gzip-compressed JSON payloads that, when decompressed, result in hundreds of MB of valid JSON occupying server memory. Sending enough requests concurrently will cause LAPI to allocate excessive heap memory, leading the OS to forcibly terminate the …

The CrowdSec AppSec component fails to read the HTTP request body for any request whose Content-Length is not positive — most notably HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests sent without a content-length header. Coraza is then evaluated against an empty body, so every WAF rule targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML silently fails to match. An unauthenticated remote attacker can bypass the entire AppSec body-inspection pipeline by …