EUVD-2025-19726
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.
Analysis
A remote code execution vulnerability in versions 2.9.8 to (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Technical Context
CWE-20 (Improper Input Validation). Affects versions 2.9.8 to.
Affected Products
['versions 2.9.8 to']
Remediation
Monitor vendor channels for patch availability.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1108715| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bullseye (security) | fixed | 2.9.3-3+deb11u5 | - |
| bookworm | not-affected | - | - |
| bookworm (security) | fixed | 2.9.7-1+deb12u1 | - |
| trixie | fixed | 2.9.11-1+deb13u1 | - |
| forky, sid | fixed | 2.9.12-2 | - |
| (unstable) | fixed | 2.9.11-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today