Impact
The Core Rule Set rule 922110 incorrectly handles multipart form data when multiple content‑type parts are present. During the loop over the headers of each part, the rule writes the charset value into capture variables that are subsequently overwritten. The result is that only the charset from the final part is considered, allowing an attacker to embed dangerous charsets in earlier parts that the rule ignores. The vulnerability therefore permits malicious input to slip past the set of transformations and detections that rely on rule 922110, effectively breaking the intended protection.
Affected Systems
Deployments that employ the OWASP ModSecurity Core Rule Set before versions 3.3.8 or 4.22.0 are impacted. These include many web application firewalls or security‑aware HTTP libraries that import the CRS for generic attack detection.
Risk and Exploitability
The CVSS score of 9.3 marks this flaw as critical. Given the EPSS score of 13 %, the likelihood of exploitation is high relative to other vulnerabilities. The issue is not yet listed in the CISA KEV catalog, but the remote nature of the attack vector—sending crafted multipart HTTP requests—is likely. Successful exploitation allows malicious charsets to be injected into earlier parts of a multipart request while the final part appears legitimate, thereby bypassing detection by the CRS and any downstream security controls that depend on rule 922110.
OpenCVE Enrichment
Debian DLA
Debian DSA