CVE-2025-47947
published 2025-05-21CVE-2025-47947: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.56%
42.3th percentile
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | modsecurity-apache | < modsecurity-apache 2.9.7-1+deb12u1 (bookworm) | modsecurity-apache 2.9.7-1+deb12u1 (bookworm) |
| owasp-modsecurity | modsecurity | < 2.9.10 | 2.9.10 |
| owasp | modsecurity | < 2.9.10 | 2.9.10 |
| trustwave | modsecurity | < 2.9.9 | 2.9.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
modsecurity-apache vulnerabilities
osv·2025-06-13·CVSS 7.5
CVE-2025-47947 [HIGH] modsecurity-apache vulnerabilities
modsecurity-apache vulnerabilities
Simon Studer discovered that ModSecurity incorrectly handled certain
JSON objects. An attacker could possibly use this issue to cause a denial
of service. (CVE-2025-47947)
It was discovered that ModSecurity incorrectly handled requests when
parsing certain form data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2025-48866)
OSV
CVE-2025-48866: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx
osv·2025-06-02·CVSS 7.5
CVE-2025-48866 [HIGH] CVE-2025-48866: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
OSV
CVE-2025-47947: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx
osv·2025-05-21·CVSS 7.5
CVE-2025-47947 [HIGH] CVE-2025-47947: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
Ubuntu
ModSecurity vulnerabilities
vendor_ubuntu·2025-06-13·CVSS 7.5
CVE-2025-48866 [HIGH] ModSecurity vulnerabilities
Title: ModSecurity vulnerabilities
Summary: Several security issues were fixed in ModSecurity.
Simon Studer discovered that ModSecurity incorrectly handled certain
JSON objects. An attacker could possibly use this issue to cause a denial
of service. (CVE-2025-47947)
It was discovered that ModSecurity incorrectly handled requests when
parsing certain form data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2025-48866)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
mod_security: ModSecurity Denial of Service Vulnerability
vendor_redhat·2025-06-02·CVSS 7.5
CVE-2025-48866 [HIGH] CWE-1050 mod_security: ModSecurity Denial of Service Vulnerability
mod_security: ModSecurity Denial of Service Vulnerability
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
A denial of service flaw was found in ModSecurity. This vulnerability is present in the `sanitiseArg`/`sanitizeArg` function can be overloaded with a large number of arguments which will lead to excessive memory usage
Red Hat
modsecurity: ModSecurity Has Possible DoS Vulnerability
vendor_redhat·2025-05-21·CVSS 7.5
CVE-2025-47947 [HIGH] CWE-1050 modsecurity: ModSecurity Has Possible DoS Vulnerability
modsecurity: ModSecurity Has Possible DoS Vulnerability
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
A flaw was found in the mod_security2 Apache2 module. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case. In stable released versions, when the payload's content type is `application/json`, at least one rule performs a
Debian
CVE-2025-48866: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng...
vendor_debian·2025·CVSS 7.5
CVE-2025-48866 [HIGH] CVE-2025-48866: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng...
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
Scope: local
bookworm: resolved (fixed in 2.9.7-1+deb12u1)
bullseye: resolved (fixed in 2.9.3-3+deb11u4)
forky: resolved (fixed in 2.9.10-1)
sid: resolved (fixed in 2.9.10-1)
trixie: resolved (fixed in 2.9.10-1)
Debian
CVE-2025-47947: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng...
vendor_debian·2025·CVSS 7.5
CVE-2025-47947 [HIGH] CVE-2025-47947: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng...
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
Scope: local
bookworm: resolved (fixed in 2.9.7-1+deb12u1)
bullseye: resolved (fixed in 2.9.3-3+deb11u3)
forky: resolved (fixed in 2.9.9-1)
sid: resolved (fixed in 2.9.9-1)
trixie: resolved (fixed in 2.9.9-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-21
Published