CVE-2025-52891

The vulnerability (CVE-2025-52891) resides in ModSecurity's XML parser when handling empty XML tags, such as `. If the SecParseXmlIntoArgs directive is set to On or OnlyArgs, and a request with Content-Type: application/xml contains at least one empty tag, a segmentation fault occurs [1][2]. The root cause is improper management of buffer lengths (currpathbufflen and currvalbufflen`) during the parsing of start and end elements, leading to out-of-bounds memory access, as indicated by the fix [1].

Exploitation of this vulnerability requires the attacker to send a crafted XML payload to an application protected by ModSecurity with SecParseXmlIntoArgs enabled. The default value of this directive is Off, so systems relying on default configurations are not affected. However, in environments where this feature is actively used to parse XML request bodies into arguments, a remote unauthenticated attacker can trigger the crash by submitting a minimal XML document containing empty tags [2]. No authentication or special network position is needed beyond the ability to send HTTP requests.

The impact is a denial of service (DoS) resulting from the segmentation fault, which causes the ModSecurity process or the underlying web server thread to crash. This can disrupt service availability for legitimate users. There is no evidence of code execution or data compromise, so the CVSS score of 6.5 reflects a moderate severity, primarily due to low attack complexity and potential for repeated disruption [2].

The issue has been patched in ModSecurity version 2.9.11 [1][2]. For users unable to upgrade, the immediate workaround is to disable this feature by setting SecParseXmlIntoArgs to Off in the ModSecurity configuration [2]. It is recommended to apply the patch or workaround promptly, especially for deployments relying on XML argument parsing.