ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
References
Configurations
No configuration.
History
09 Jun 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary |
|
02 Jun 2025, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-06-02 16:15
Updated : 2025-06-09 15:15
NVD link : CVE-2025-48866
Mitre link : CVE-2025-48866
CVE.ORG link : CVE-2025-48866
JSON object : View
Products Affected
No product.
CWE
CWE-1050
Excessive Platform Resource Consumption within a Loop