CVE-2025-48866

Published Jun 2, 2025

Last updated 10 months ago

CVSS high 7.5

Overview

Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
Source
security-advisories@github.com
NVD status
Analyzed
Products
modsecurity

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-1050

Social media

Hype score
Not currently trending

  1. URGENT: #Oracle Linux 9 mod_security DoS Patch (CVE-2025-48866) - ELSA-2025-12838 Risk: Moderate (Service disruption). Patch NOW via ULN! Read more:👉 https://t.co/0XtB4rKmJl https://t.co/uCANPLlM6s

    @Cezar_H_Linux

    6 Aug 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Critical update for #openSUSE: Patch apache2-mod_security2 now for CVE-2025-47947 & CVE-2025-48866 DoS fixes. Affects Leap 15.4/15.6, SLE 15 SP4/5, Manager 4.3. Patch cmds: Read more: 👉 https://t.co/kwGpO7w3hE #CyberSecurity #LinuxAdmin https://t.co/ucT8GZL7Fj

    @Cezar_H_Linux

    19 Jun 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ModSecurity flaw CVE-2025-48866 lets remote attackers crash servers via argument sanitization, risking web systems using Apache, IIS, and Nginx. #CyberSecurity #ModSecurity #ServerVulnerability https://t.co/nlmyAyhGdp

    @CyberSecTV_eu

    15 Jun 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. آیا می دانستید که برای WAF ها نیز آسیب پذیری منتشر می شود؟ به تازگی برای Mod_security که یکی از محبوبترین WAF ها می باشد ، آسیب پذیری جدیدی با کد شناسایی (CVE-2025-48866) از

    @AmirHossein_sec

    4 Jun 2025

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-48866 ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vu… https://t.co/KcTNLIJ7Zk

    @CVEnew

    2 Jun 2025

    363 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.CVE-2025-54571
  2. ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.CVE-2025-47947
  3. Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.CVE-2025-27110
  4. A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue).CVE-2024-46292
  5. ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.CVE-2024-1019

References

Sources include official advisories and independent security research.