Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

owasp-modsecurity

Source -

CNA

BOS Name -

N/A

CNA CVEs -

5

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
0Vulnerabilities found
CVE-2025-54571
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.05% / 15.90%
||
7 Day CHG~0.00%
Published-05 Aug, 2025 | 23:39
Updated-06 Aug, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ModSecurity's Insufficient Return Value Handling can Lead to XSS and Source Code Disclosure

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

Action-Not Available
Vendor-owasp-modsecurity
Product-ModSecurity
CWE ID-CWE-252
Unchecked Return Value
CVE-2025-48866
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.13% / 33.30%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 15:46
Updated-02 Jul, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ModSecurity has possible DoS vulnerability in sanitiseArg action

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.

Action-Not Available
Vendor-owaspowasp-modsecurity
Product-modsecurityModSecurity
CWE ID-CWE-1050
Excessive Platform Resource Consumption within a Loop
CVE-2025-47947
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.09% / 27.08%
||
7 Day CHG~0.00%
Published-21 May, 2025 | 22:08
Updated-20 Jun, 2025 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ModSecurity Has Possible DoS Vulnerability

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.

Action-Not Available
Vendor-trustwaveowasp-modsecurity
Product-modsecurityModSecurity
CWE ID-CWE-1050
Excessive Platform Resource Consumption within a Loop
CVE-2025-27110
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.9||HIGH
EPSS-0.06% / 18.97%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 20:00
Updated-28 Feb, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libmodsecurity3 has possible bypass of encoded HTML entities

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.

Action-Not Available
Vendor-trustwaveowasp-modsecurity
Product-modsecurityModSecurity
CWE ID-CWE-172
Encoding Error
CVE-2025-52891
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 19.22%
||
7 Day CHG~0.00%
Published-Not Available
Updated-03 Jul, 2025 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

Action-Not Available
Vendor-
Product-
CWE ID-CWE-20
Improper Input Validation