owasp/modsecurity-crs:nginx malforms JS objects since release/20250127

[gtaws]

I don't know if this is the right place yet, and I'll update the issue after I get home, but I currently use owasp/modsecurity-crs:nginx in front of Vaultwarden to guard my password manager for little over a year now, and has not given me isssues until release/20250127. Currently, it cannot render pages from Vaultwarden as the JS response seems to be malformed, repeatedly rendering the final chunk of output, but not the rest. Turning on debug logging seems to indicate multiple messages showing that the JS output won't be appended as the content won't be inspected, but no errors. I have to turn off modsecurity inside conf.d/modsecurity.conf for nginx to render Vaultwarden correctly for this release. Rolling back to release/20250105 also fixes the issue. Please let me know what else I need to turn on to either help triage or remediate the issue. I can also attach example correct and broken responses and HAR files later if that helps. This all happens on the login page, so I think no confidential data will appear in the HAR. This issue also occurs in release/20250201.

[fzipi]

It is weird that is still happens with the latest release, as we reverted to a well known version of the modsecurity-nginx build (1.0.3). Can you really confirm it does not work again using release/20250201.?

[gtaws]

Yup still happening. Simply switched tags from 4.10.0-nginx-202501050801 to 4.11.0-nginx-202502011102 in docker compose with no config changes will let the container come up and seemingly ready to serve pages, but the JS objects come back malformed, although HTML and CSS objects come back fine, I think. I can't really tell if it's actually ok as the browser can't actually render the page correctly, but the source looks OK for those objects. let me know what I should turn on or submit to help triage this.

[theseion]

That's very weird. @fichte do you see the same? I can check tonight.