CVE-2025-48866
ModSecurity has possible DoS vulnerability in sanitiseArg action
In short
ModSecurity versions before 2.9.10 have a denial of service vulnerability in the sanitiseArg action. An attacker can send requests with an excessive number of arguments to crash or freeze the WAF, disrupting web application protection.
Technical detail
The sanitiseArg action in ModSecurity prior to 2.9.10 is vulnerable to denial of service when processing requests containing an excessive number of arguments. An attacker can exploit this by crafting HTTP requests with many parameters, causing resource exhaustion and WAF unavailability without requiring authentication or special privileges.
Summary generated and translated by AI from the official description.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
owasp-modsecurity · ModSecurityWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2ehttps://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8rhttps://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2whttps://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearghttps://lists.debian.org/debian-lts-announce/2025/06/msg00009.html