Unrated severityNVD Advisory· Published Jun 2, 2025· Updated Jun 9, 2025
ModSecurity has possible DoS vulnerability in sanitiseArg action
CVE-2025-48866
Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The sanitiseArg (and sanitizeArg - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the sanitiseArg (or sanitizeArg) action.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
24<2.9.10+ 1 more
- (no CPE)range: <2.9.10
- (no CPE)range: < 2.9.10
- osv-coords22 versionspkg:bitnami/modsecuritypkg:bitnami/modsecurity2pkg:rpm/opensuse/apache2-mod_security2&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/apache2-mod_security2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Manager%20Server%204.3
< 3.0.12+ 21 more
- (no CPE)range: < 3.0.12
- (no CPE)range: < 2.9.10
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.10-1.1
- (no CPE)range: < 2.9.2-150000.3.12.1
- (no CPE)range: < 2.9.2-150000.3.12.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.8.0-7.9.1
- (no CPE)range: < 2.9.2-150000.3.12.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.2-150000.3.12.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.8.0-7.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
- (no CPE)range: < 2.9.4-150400.3.9.1
Patches
Vulnerability mechanics
References
3- github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2emitrex_refsource_MISC
- github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8rmitrex_refsource_MISC
- github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2wmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.