CVE-2025-48866

02.06.2025, 16:15

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the  `sanitiseArg` (or `sanitizeArg`) action.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 36%

Vendor	Product	Version
owasp	modsecurity	𝑥 < 2.9.10

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

modsecurity-apache

bullseye	vulnerable
bullseye (security)	2.9.3-3+deb11u4 fixed
bookworm	vulnerable
bookworm (security)	2.9.7-1+deb12u1 fixed
sid	2.9.11-1 fixed
trixie	2.9.11-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

modsecurity-apache

plucky	Fixed 2.9.8-1.1ubuntu0.1 released
oracular	Fixed 2.9.7-1ubuntu0.24.10.1 released
noble	Fixed 2.9.7-1ubuntu0.24.04.1~esm1 released
jammy	Fixed 2.9.5-1ubuntu0.1~esm2 released
focal	Fixed 2.9.3-1ubuntu0.1+esm1 released
bionic	Fixed 2.9.2-1ubuntu0.1~esm2 released
xenial	Fixed 2.9.0-1ubuntu0.1~esm2 released
trusty	Fixed 2.7.7-2ubuntu0.1~esm2 released

Known Exploits!

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w

Common Weakness Enumeration

CWE-1050 - Excessive Platform Resource Consumption within a Loop
The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.

References

https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w

https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg

https://lists.debian.org/debian-lts-announce/2025/06/msg00009.html