{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-48866", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-27T20:14:34.294Z", "datePublished": "2025-06-02T15:46:19.909Z", "dateUpdated": "2025-06-02T15:54:25.494Z"}, "containers": {"cna": {"title": "ModSecurity has possible DoS vulnerability in sanitiseArg action", "problemTypes": [{"descriptions": [{"cweId": "CWE-1050", "lang": "en", "description": "CWE-1050: Excessive Platform Resource Consumption within a Loop", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w"}, {"name": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r", "tags": ["x_refsource_MISC"], "url": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r"}, {"name": "https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e", "tags": ["x_refsource_MISC"], "url": "https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e"}, {"name": "https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg", "tags": ["x_refsource_MISC"], "url": "https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg"}], "affected": [{"vendor": "owasp-modsecurity", "product": "ModSecurity", "versions": [{"version": "< 2.9.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-02T15:46:19.909Z"}, "descriptions": [{"lang": "en", "value": "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action."}], "source": {"advisory": "GHSA-f82j-8pp7-cw2w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-02T15:52:43.836965Z", "id": "CVE-2025-48866", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-02T15:54:25.494Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48866", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-02T15:52:43.836965Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-02T15:53:14.952Z"}}], "cna": {"title": "ModSecurity has possible DoS vulnerability in sanitiseArg action", "source": {"advisory": "GHSA-f82j-8pp7-cw2w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "owasp-modsecurity", "product": "ModSecurity", "versions": [{"status": "affected", "version": "< 2.9.10"}]}], "references": [{"url": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w", "name": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r", "name": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e", "name": "https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg", "name": "https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1050", "description": "CWE-1050: Excessive Platform Resource Consumption within a Loop"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-02T15:46:19.909Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48866", "state": "PUBLISHED", "dateUpdated": "2025-06-02T15:54:25.494Z", "dateReserved": "2025-05-27T20:14:34.294Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-02T15:46:19.909Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action."}], "id": "CVE-2025-48866", "lastModified": "2025-06-02T17:32:17.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-06-02T16:15:29.900", "references": [{"source": "[email protected]", "url": "https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e"}, {"source": "[email protected]", "url": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r"}, {"source": "[email protected]", "url": "https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w"}, {"source": "[email protected]", "url": "https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1050"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "mod_security: ModSecurity Denial of Service Vulnerability", "id": "2369827", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369827"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1050", "details": ["ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.", "A denial of service flaw was found in ModSecurity. This vulnerability is present in the `sanitiseArg`/`sanitizeArg` function can be overloaded with a large number of arguments which will lead to excessive memory usage when processing json values. This may lead to a denial of service in the affected web server should memory limits be exceeded."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-48866", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "mod_security", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "mod_security", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "mod_security", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "mod_security", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2025-06-02T15:46:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-48866\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-48866\nhttps://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e\nhttps://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r\nhttps://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w\nhttps://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg"], "statement": "User configuration must have at least one rule that does a `sanitiseMatchedBytes` action to be affected. Default configurations are not affected.", "threat_severity": "Moderate"}