Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AC:H because exploitation is contingent on i386 architecture, a deployment condition outside attacker control that substantially limits viable targets.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through 3.0.15, the t:utf8toUnicode transformation in src/actions/transformations/utf8_to_unicode.cc produces wrong output on i386 architecture because snprintf uses sizeof on a char pointer rather than the length of the unicode buffer, allowing rules that use this transformation to be bypassed on i386 architecture. This issue is fixed in version 3.0.16.
AnalysisAI
WAF rule bypass in ModSecurity 3.0.0-3.0.15 on i386 architecture allows network-accessible attackers to evade rules that use the t:utf8toUnicode transformation, potentially permitting injection attacks or other malicious payloads to reach protected applications undetected. The root cause is CWE-467 - sizeof() applied to a char pointer in utf8_to_unicode.cc yields the pointer width (4 bytes on i386) rather than the unicode buffer length, corrupting transformation output. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that ModSecurity is deployed on an i386 (32-bit x86) architecture - the bug does not manifest on x86_64 or other architectures. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N, score 5.8) reflects the network accessibility and scope change (WAF bypass affecting downstream applications), but AC:L overstates ease of exploitation by ignoring the i386 architecture prerequisite - a condition not under attacker control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a web application protected by ModSecurity on an i386 server crafts an HTTP request containing a malicious payload (such as an XSS vector or SQL injection string) encoded in UTF-8 in a way specifically designed to evade detection after t:utf8toUnicode normalization. Because the transformation produces incorrect output on i386 due to the sizeof bug, the ModSecurity rule fails to match the normalized form of the payload, and the malicious request passes through the WAF to the backend application. … |
| Remediation | Upgrade ModSecurity to version 3.0.16, which resolves the issue via commit edcd010814e234d46e2ec55a0f1078ff9d3032e4 (https://github.com/owasp-modsecurity/ModSecurity/commit/edcd010814e234d46e2ec55a0f1078ff9d3032e4); the release is available at https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.16. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Modsecurity
View allLibmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is rem
ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` ac
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerabi
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. Rated high severity (CVSS 7.5),
The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver ar
ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. Rated medium severity (CVSS 6.1), this vulnerabili
The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NUL
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer codi
WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle m
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cau
A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserte
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43113