CVE-2025-47947

21.05.2025, 22:15

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
trustwave	modsecurity	𝑥 < 2.9.9

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

modsecurity

plucky	not-affected
oracular	not-affected
noble	not-affected
jammy	not-affected
focal	not-affected

modsecurity-apache

plucky	Fixed 2.9.8-1.1ubuntu0.1 released
oracular	Fixed 2.9.7-1ubuntu0.24.10.1 released
noble	Fixed 2.9.7-1ubuntu0.24.04.1~esm1 released
jammy	Fixed 2.9.5-1ubuntu0.1~esm2 released
focal	Fixed 2.9.3-1ubuntu0.1+esm1 released
bionic	Fixed 2.9.2-1ubuntu0.1~esm2 released
xenial	Fixed 2.9.0-1ubuntu0.1~esm2 released
trusty	Fixed 2.7.7-2ubuntu0.1~esm2 released

Known Exploits!

Common Weakness Enumeration

CWE-1050 - Excessive Platform Resource Consumption within a Loop
The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.

References

https://github.com/owasp-modsecurity/ModSecurity/pull/3389

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r