CVE-2025-48866

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
Configurations

No configuration.

History

09 Jun 2025, 15:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/06/msg00009.html -
Summary
  • (es) ModSecurity es un motor de firewall de aplicaciones web (WAF) multiplataforma de código abierto para Apache, IIS y Nginx. Las versiones anteriores a la 2.9.10 contienen una vulnerabilidad de denegación de servicio similar a GHSA-859r-vvv8-rm8r/CVE-2025-47947. La acción `sanitiseArg` (y `sanitizeArg`, que es la misma acción pero un alias) es vulnerable a añadir un número excesivo de argumentos, lo que provoca una denegación de servicio. La versión 2.9.10 corrige el problema. Como workaround, evite usar reglas que contengan la acción `sanitiseArg` (o `sanitizeArg`).

02 Jun 2025, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-06-02 16:15

Updated : 2025-06-09 15:15


NVD link : CVE-2025-48866

Mitre link : CVE-2025-48866

CVE.ORG link : CVE-2025-48866


JSON object : View

Products Affected

No product.

CWE
CWE-1050

Excessive Platform Resource Consumption within a Loop