CVE-2022-39955 is a high-severity vulnerability (CVSS 7.3) affecting the OWASP ModSecurity Core Rule Set (CRS), specifically versions 3.0.x, 3.1.x, 3.2.1, and 3.3.2. The vulnerability arises from incorrect authorization logic (CWE-863) within the CRS rules that handle HTTP Content-Type header parsing. Attackers can craft an HTTP request with a Content-Type header containing multiple character encoding declarations (multiple charset names). This malformed header can bypass the CRS's configurable allow list for Content-Type charset values, allowing an encoded malicious payload to evade detection by the CRS. Once bypassed, the backend server may decode and process the payload, potentially leading to unauthorized actions or exploitation of backend vulnerabilities. The issue affects legacy and current CRS versions, with fixed versions 3.2.2 and 3.3.3 released to address this bypass. No known exploits are reported in the wild yet, but the vulnerability's nature allows remote exploitation without authentication or user interaction, increasing risk. The vulnerability impacts confidentiality, integrity, and availability due to the potential for malicious payloads to bypass web application firewall (WAF) protections and reach vulnerable backend systems.

For European organizations, this vulnerability poses a significant risk to web applications protected by the OWASP ModSecurity CRS, especially those using affected versions. Successful exploitation can allow attackers to bypass WAF protections, enabling injection of malicious payloads that could lead to data leakage, unauthorized access, or service disruption. This is particularly critical for sectors handling sensitive personal data under GDPR, such as finance, healthcare, and government services. The bypass could facilitate exploitation of backend vulnerabilities, leading to compromise of confidentiality and integrity of data, and potentially availability if denial-of-service or destructive payloads are delivered. Organizations relying on ModSecurity CRS as a primary defense layer may find their security posture weakened until patches are applied. The lack of required authentication and user interaction means attackers can exploit this remotely and at scale, increasing the threat surface for European enterprises.

European organizations should immediately assess their use of OWASP ModSecurity CRS and identify if affected versions (3.0.x, 3.1.x, 3.2.1, 3.3.2) are deployed. The primary mitigation is to upgrade to the patched versions 3.2.2 or 3.3.3, which address the charset header parsing bypass. Additionally, organizations should implement strict input validation on backend systems to not rely solely on CRS for Content-Type charset enforcement. Web servers and application frameworks should be configured to reject or sanitize HTTP headers with multiple charset declarations. Monitoring and logging of HTTP headers for anomalies can help detect exploitation attempts. Employing defense-in-depth by combining CRS with other security controls such as runtime application self-protection (RASP) and backend validation will reduce risk. Regular vulnerability scanning and penetration testing focusing on WAF bypass techniques should be conducted. Finally, organizations should stay updated on any emerging exploit reports and apply security advisories promptly.