BIT-modsecurity2-2025-48866

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/modsecurity2/BIT-modsecurity2-2025-48866.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-modsecurity2-2025-48866
Aliases
Published
2025-06-04T14:48:01.890Z
Modified
2025-06-10T07:53:49.719Z
Summary
ModSecurity has possible DoS vulnerability in sanitiseArg action
Details

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The sanitiseArg (and sanitizeArg - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the sanitiseArg (or sanitizeArg) action.

Database specific
{
    "cpes": [
        "cpe:2.3:a:trustwave:modsecurity:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / modsecurity2

Package

Name
modsecurity2
Purl
pkg:bitnami/modsecurity2

Severity

  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.10