BIT-modsecurity2-2025-48866

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/modsecurity2/BIT-modsecurity2-2025-48866.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-modsecurity2-2025-48866

Aliases

Published

2025-06-04T14:48:01.890Z

Modified

2025-06-10T07:53:49.719Z

Summary

ModSecurity has possible DoS vulnerability in sanitiseArg action

Details

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The sanitiseArg (and sanitizeArg - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the sanitiseArg (or sanitizeArg) action.

Database specific

{
    "cpes": [
        "cpe:2.3:a:trustwave:modsecurity:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / modsecurity2

Package

Name: modsecurity2
Purl: pkg:bitnami/modsecurity2

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.10