PatchSiren

crowdsecurity CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH crowdsecurity CVE published 2026-07-16

CVE-2026-44982

A vulnerability was found in CrowdSec's HTTP request handling. From version 1.5.0 to 1.7.7, the NewParsedRequestFromRequest function in pkg/appsec/request.go allocated a request body buffer based on max(r.ContentLength, 0). This caused HTTP/1.1 requests with Transfer-Encoding: chunked and HTTP/2 requests without a content-length header to have an empty body. As a result, WAF rules targeting REQUEST_BODY, [truncated]

HIGH crowdsecurity CVE published 2026-07-16

CVE-2026-44981

CVE-2026-44981 is a high-severity vulnerability in CrowdSec's LAPI router, a crowdsourced protection system against malicious IPs. From version 1.7.0 to 1.7.7, the router used gin-contrib/gzip with DefaultDecompressHandle globally, allowing unauthenticated gzip-compressed JSON request bodies to be decompressed without enforcing a maximum decompressed size. This could lead to excessive heap allocation, pot [truncated]