CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5.

For downloads and installation instructions, please refer to the Installation page.

This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers.

Aside from the security fix, a few other minor, non-breaking changes and improvements are also included in this release. The full changes are as follows:

As noted above, the fix for CVE-2023-38199 has already been merged into the CRS v4 branch: our upcoming milestone release which we hope to publish in the near future.

Please feel free to contact us with any questions or concerns about this release via the usual channels: directly via the CRS GitHub repository, in our Slack channel (#coreruleset on, or on our mailing list.

Andrew Howe on behalf of the Core Rule Set development team

Andrew Howe