CVE-2025-52891 — Improper Input Validation in Modsecurity

CWE-20 — Improper Input Validation5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 76.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Owasp-modsecurity Modsecurity

Timeline

PublishedJul 2

Description

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶CVEListV5owasp-modsecurity/modsecurity>= 2.9.8, < 2.9.11

🔴Vulnerability Details

CVEList

ModSecurity empty XML tag causes segmentation fault↗2025-07-02

▶

OSV

CVE-2025-52891: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx↗2025-07-02

▶

📋Vendor Advisories

Red Hat

mod_security: ModSecurity segmentation fault↗2025-07-02

▶

Debian

CVE-2025-52891: modsecurity-apache - ModSecurity is an open source, cross platform web application firewall (WAF) eng...↗2025

▶