A vulnerability was found in CrowdSec's HTTP request handling. From version 1.5.0 to 1.7.7, the NewParsedRequestFromRequest function in pkg/appsec/request.go allocated a request body buffer based on max(r.ContentLength, 0). This caused HTTP/1.1 requests with Transfer-Encoding: chunked and HTTP/2 requests without a content-length header to have an empty body. As a result, WAF rules targeting REQUEST_BODY, [truncated]
CVE-2026-44981 is a high-severity vulnerability in CrowdSec's LAPI router, a crowdsourced protection system against malicious IPs. From version 1.7.0 to 1.7.7, the router used gin-contrib/gzip with DefaultDecompressHandle globally, allowing unauthenticated gzip-compressed JSON request bodies to be decompressed without enforcing a maximum decompressed size. This could lead to excessive heap allocation, pot [truncated]