CVE-2025-27110Encoding Error in Modsecurity

CWE-172Encoding Error5 documents5 sources
Severity
7.9HIGHNVD
EPSS
0.3%
top 49.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Trustwave ModsecurityOwasp-modsecurity Modsecurity
Timeline
PublishedFeb 25

Description

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Affected Packages3 packages

Debiantrustwave/modsecurity< 3.0.14-1+1
CVEListV5owasp-modsecurity/modsecurity= 3.0.13

🔴Vulnerability Details

2
OSV
CVE-2025-27110: Libmodsecurity is one component of the ModSecurity v3 project2025-02-25
CVEList
Libmodsecurity3 has possible bypass of encoded HTML entities2025-02-25

📋Vendor Advisories

2
Red Hat
mod_security: Libmodsecurity3 has possible bypass of encoded HTML entities2025-02-25
Debian
CVE-2025-27110: modsecurity - Libmodsecurity is one component of the ModSecurity v3 project. The library codeb...2025
CVE-2025-27110 — Encoding Error in Modsecurity | cvebase