Skip to main content

Modsecurity CVE-2025-48866

| EUVDEUVD-2025-16670 HIGH
Excessive Platform Resource Consumption within a Loop (CWE-1050)
2025-06-02 security-advisories@github.com
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16670
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
Patch released
Mar 14, 2026 - 16:47 nvd
Patch available
PoC Detected
Jul 02, 2025 - 18:11 vuln.today
Public exploit code
CVE Published
Jun 02, 2025 - 16:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The sanitiseArg (and sanitizeArg - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the sanitiseArg (or sanitizeArg) action.

AnalysisAI

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the sanitiseArg and sanitizeArg actions that allows unauthenticated remote attackers to cause service disruption by submitting requests with an excessive number of arguments. This is a network-accessible DoS vulnerability with high impact on availability that affects widely-deployed WAF deployments across Apache, IIS, and Nginx platforms.

Technical ContextAI

ModSecurity is a web application firewall engine that operates as a module for Apache, IIS, and Nginx web servers. The vulnerability exists in the argument sanitization functions (sanitiseArg/sanitizeArg actions) which process HTTP request parameters. The root cause (CWE-1050: Initialization with Hard-Coded Network Resource Configuration Data / similar argument handling flaw) relates to improper bounds checking or resource exhaustion handling when processing a large number of request arguments. When rules containing these actions are triggered, the WAF fails to properly limit or validate the quantity of arguments being processed, allowing an attacker to exhaust memory or processing capacity through argument multiplication attacks, similar to the related CVE-2025-47947 (GHSA-859r-vvv8-rm8r). The vulnerability affects all installations using ModSecurity 2.9.x versions before 2.9.10 on any supported platform (Apache, IIS, Nginx).

RemediationAI

Immediate actions: (1) Upgrade ModSecurity to version 2.9.10 or later (patch available); (2) Apply vendor patches from ModSecurity GitHub repository (https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.10); (3) For systems unable to patch immediately, implement workaround by disabling or removing all rules containing sanitiseArg or sanitizeArg actions—identify affected rules in active rulesets (OWASP CRS, vendor-specific rules) and remove or comment them out; (4) Implement rate limiting at upstream load balancer/proxy to limit request argument counts; (5) Monitor for exploitation attempts using WAF logs for requests with unusually high argument counts. Patch path: Update from 2.9.x to 2.9.10+ (appears to be a patch release, not requiring major version upgrade). Vendor advisory and patch details available at ModSecurity GitHub releases.

CVE-2025-27110 HIGH POC
7.9 Feb 25

Libmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is rem

CVE-2021-42717 HIGH POC
7.5 Dec 07

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerabi

CVE-2020-15598 HIGH POC
7.5 Oct 06

Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. Rated high severity (CVSS 7.5),

CVE-2012-4528 MEDIUM POC
5.0 Dec 28

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver ar

CVE-2018-13065 MEDIUM POC
6.1 Jul 03

ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2013-2765 MEDIUM POC
5.0 Jul 15

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NUL

CVE-2013-5705 MEDIUM POC
5.0 Apr 15

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer codi

CVE-2026-52747 HIGH
8.6 Jul 10

WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle m

CVE-2024-1019 HIGH
8.6 Jan 30

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially

CVE-2013-1915 HIGH
7.5 Apr 25

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cau

CVE-2024-46292 HIGH
7.5 Oct 09

A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserte

CVE-2023-38285 HIGH
7.5 Jul 26

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. Rated high severity (CVSS 7.5), this vul

Vendor StatusVendor

Ubuntu

Priority: Medium
modsecurity-apache
Release Status Version
bionic released 2.9.2-1ubuntu0.1~esm2
focal released 2.9.3-1ubuntu0.1+esm1
jammy released 2.9.5-1ubuntu0.1~esm2
noble released 2.9.7-1ubuntu0.24.04.1~esm1
oracular released 2.9.7-1ubuntu0.24.10.1
plucky released 2.9.8-1.1ubuntu0.1
trusty released 2.7.7-2ubuntu0.1~esm2
upstream released 2.9.10
xenial released 2.9.0-1ubuntu0.1~esm2
questing needs-triage -

Debian

Bug #1107196
modsecurity-apache
Release Status Fixed Version Urgency
bullseye fixed 2.9.3-3+deb11u4 -
bullseye (security) fixed 2.9.3-3+deb11u5 -
bookworm fixed 2.9.7-1+deb12u1 -
bookworm (security) fixed 2.9.7-1+deb12u1 -
trixie fixed 2.9.11-1+deb13u1 -
forky, sid fixed 2.9.12-2 -
(unstable) fixed 2.9.10-1 -

SUSE

Severity: High
Product Status
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed

Share

CVE-2025-48866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy