CVE-2025-48866

NameCVE-2025-48866
DescriptionModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4212-1, DSA-5940-1
Debian Bugs1107196

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity-apache (PTS)bullseye2.9.3-3+deb11u2vulnerable
bullseye (security)2.9.3-3+deb11u4fixed
bookworm2.9.7-1vulnerable
bookworm (security)2.9.7-1+deb12u1fixed
sid, trixie2.9.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecurity-apachesourcebullseye2.9.3-3+deb11u4DLA-4212-1
modsecurity-apachesourcebookworm2.9.7-1+deb12u1DSA-5940-1
modsecurity-apachesource(unstable)2.9.10-11107196

Notes

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w
Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e (v2.9.10)
Search for package or bug name: Reporting problems