What is the CVSS score of CVE-2025-48866?

CVE-2025-48866 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.4%.

Which versions of Modsecurity are affected by CVE-2025-48866?

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability that could allow attackers to disable web application protection by exploiting the sanitiseArg/sanitizeArg actions.. A patch is available.

Is there a public PoC exploit available for CVE-2025-48866?

Yes, a public proof-of-concept exploit is available for CVE-2025-48866. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2025-48866?

Within 24 hours: Identify all systems running ModSecurity versions prior to 2.9.10 and assess whether sanitiseArg/sanitizeArg actions are active in your ruleset. Within 7 days: Apply the ModSecurity 2.9.10 patch to all affected systems or implement the workaround by removing sanitiseArg/sanitizeArg actions from active rules. Within 30 days: Conduct full regression testing of WAF rules post-patch and validate that legitimate traffic is not impacted by the update.

Modsecurity CVE-2025-48866

EUVD-2025-16670 HIGH

Excessive Platform Resource Consumption within a Loop (CWE-1050)

2025-06-02 security-advisories@github.com

Denial Of Service Apache Nginx Red Hat Modsecurity Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 16:47 euvd

EUVD-2025-16670

Analysis Generated

Mar 14, 2026 - 16:47 vuln.today

Patch released

Mar 14, 2026 - 16:47 nvd

Patch available

PoC Detected

Jul 02, 2025 - 18:11 vuln.today

Public exploit code

CVE Published

Jun 02, 2025 - 16:15 nvd

HIGH 7.5

DescriptionNVD

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The sanitiseArg (and sanitizeArg - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the sanitiseArg (or sanitizeArg) action.

AnalysisAI

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the sanitiseArg and sanitizeArg actions that allows unauthenticated remote attackers to cause service disruption by submitting requests with an excessive number of arguments. This is a network-accessible DoS vulnerability with high impact on availability that affects widely-deployed WAF deployments across Apache, IIS, and Nginx platforms.

Technical ContextAI

ModSecurity is a web application firewall engine that operates as a module for Apache, IIS, and Nginx web servers. The vulnerability exists in the argument sanitization functions (sanitiseArg/sanitizeArg actions) which process HTTP request parameters. The root cause (CWE-1050: Initialization with Hard-Coded Network Resource Configuration Data / similar argument handling flaw) relates to improper bounds checking or resource exhaustion handling when processing a large number of request arguments. When rules containing these actions are triggered, the WAF fails to properly limit or validate the quantity of arguments being processed, allowing an attacker to exhaust memory or processing capacity through argument multiplication attacks, similar to the related CVE-2025-47947 (GHSA-859r-vvv8-rm8r). The vulnerability affects all installations using ModSecurity 2.9.x versions before 2.9.10 on any supported platform (Apache, IIS, Nginx).

RemediationAI

Immediate actions: (1) Upgrade ModSecurity to version 2.9.10 or later (patch available); (2) Apply vendor patches from ModSecurity GitHub repository (https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.10); (3) For systems unable to patch immediately, implement workaround by disabling or removing all rules containing sanitiseArg or sanitizeArg actions—identify affected rules in active rulesets (OWASP CRS, vendor-specific rules) and remove or comment them out; (4) Implement rate limiting at upstream load balancer/proxy to limit request argument counts; (5) Monitor for exploitation attempts using WAF logs for requests with unusually high argument counts. Patch path: Update from 2.9.x to 2.9.10+ (appears to be a patch release, not requiring major version upgrade). Vendor advisory and patch details available at ModSecurity GitHub releases.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

Vendor StatusVendor

Ubuntu

Priority: Medium

modsecurity-apache

Release	Status	Version
bionic	released	2.9.2-1ubuntu0.1~esm2
focal	released	2.9.3-1ubuntu0.1+esm1
jammy	released	2.9.5-1ubuntu0.1~esm2
noble	released	2.9.7-1ubuntu0.24.04.1~esm1
oracular	released	2.9.7-1ubuntu0.24.10.1
plucky	released	2.9.8-1.1ubuntu0.1
trusty	released	2.7.7-2ubuntu0.1~esm2
upstream	released	2.9.10
xenial	released	2.9.0-1ubuntu0.1~esm2
questing	needs-triage	-

USN-7567-1

Debian

Bug #1107196

modsecurity-apache

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.9.3-3+deb11u4	-
bullseye (security)	fixed	2.9.3-3+deb11u5	-
bookworm	fixed	2.9.7-1+deb12u1	-
bookworm (security)	fixed	2.9.7-1+deb12u1	-
trixie	fixed	2.9.11-1+deb13u1	-
forky, sid	fixed	2.9.12-2	-
(unstable)	fixed	2.9.10-1	-

DLA-4212-1 DSA-5940-1

CVE-2025-48866 vulnerability details – vuln.today

Back

Modsecurity CVE-2025-48866

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code