CVE-2025-47947

EUVD-2025-16086

21.05.2025, 22:15

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Affected Products (NVD)

Vendor	Product	Version
trustwave	modsecurity	𝑥 < 2.9.9

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

modsecurity

focal	not-affected
jammy	not-affected
noble	not-affected
oracular	not-affected
plucky	not-affected
questing	not-affected

modsecurity-apache

bionic	Fixed 2.9.2-1ubuntu0.1~esm2 released
focal	Fixed 2.9.3-1ubuntu0.1+esm1 released
jammy	Fixed 2.9.5-1ubuntu0.1~esm2 released
noble	Fixed 2.9.7-1ubuntu0.24.04.1~esm1 released
oracular	Fixed 2.9.7-1ubuntu0.24.10.1 released
plucky	Fixed 2.9.8-1.1ubuntu0.1 released
questing	not-affected
trusty	Fixed 2.7.7-2ubuntu0.1~esm2 released
xenial	Fixed 2.9.0-1ubuntu0.1~esm2 released

Known Exploits!

Common Weakness Enumeration

CWE-1050 - Excessive Platform Resource Consumption within a Loop
The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.

References

https://github.com/owasp-modsecurity/ModSecurity/pull/3389

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r