Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Remote unauthenticated multipart request, no user interaction (AV:N/AC:L/PR:N/UI:N); scope changes to the protected backend (S:C) whose integrity is undermined by the bypass (I:H), with no confidentiality or availability loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and ARGS_POST because src/request_body_processor/multipart.cc overwrites reserved bytes in m_reserve instead of appending the current buffer. This creates a parser differential between ModSecurity and backend applications that preserve line breaks in form fields, allowing rules that inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax depends on a line break. This issue is fixed in version 3.0.16.
Articles & Coverage 1
AnalysisAI
WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle malicious payloads past inspection rules by exploiting a multipart/form-data parser differential. The engine silently strips embedded line breaks from non-file form-field values before populating ARGS and ARGS_POST, so any rule whose detection depends on a newline (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application (1) is protected by ModSecurity/libmodsecurity earlier than 3.0.16, (2) accepts multipart/form-data request bodies, (3) enforces detection rules that inspect the ARGS or ARGS_POST collections, and (4) runs a backend that preserves embedded CR/LF in form-field values so its parsing diverges from ModSecurity's - the payload's malicious effect must specifically depend on a line break that ModSecurity removes but the backend keeps. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine security-control-bypass with a wide blast radius rather than a high-CVSS-but-low-impact issue: the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N correctly captures a network-reachable, low-complexity, unauthenticated condition whose scope change (S:C) reflects that the harmed component is the protected backend, not ModSecurity itself, with high integrity impact and no confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a crafted multipart/form-data POST to an application fronted by ModSecurity, placing a malicious payload (for example an injection string whose dangerous syntax is split by an embedded newline) inside a non-file form field. ModSecurity strips the line break before writing the value to ARGS/ARGS_POST, so the CRS or custom rule that would have flagged the payload sees a benign-looking single line and passes the request, while the backend reassembles or interprets the original bytes and executes the intended attack. … |
| Remediation | Vendor-released patch: 3.0.16 - upgrade libmodsecurity to version 3.0.16 or later and reload the Apache/IIS/Nginx worker so the fixed multipart parser is loaded, per release https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.16 and advisory https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-rcw9-2f5r-7p88. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and document all production ModSecurity deployments with version < 3.0.16; analyze recent multipart/form-data traffic for exploitation indicators. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Modsecurity
View allLibmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is rem
ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` ac
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerabi
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. Rated high severity (CVSS 7.5),
The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver ar
ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. Rated medium severity (CVSS 6.1), this vulnerabili
The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NUL
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer codi
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cau
A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserte
Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. Rated high severity (CVSS 7.5), this vul
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43047