
CVE-2025-48866 – ModSecurity has possible DoS vulnerability in sanitiseArg action
https://notcve.org/view.php?id=CVE-2025-48866
02 Jun 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg... • https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e • CWE-1050: Excessive Platform Resource Consumption within a Loop •

CVE-2025-47947 – ModSecurity Has Possible DoS Vulnerability
https://notcve.org/view.php?id=CVE-2025-47947
21 May 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available. A flaw was found in the mod_s... • https://github.com/owasp-modsecurity/ModSecurity/pull/3389 • CWE-1050: Excessive Platform Resource Consumption within a Loop •

CVE-2025-27110 – Libmodsecurity3 has possible bypass of encoded HTML entities
https://notcve.org/view.php?id=CVE-2025-27110
25 Feb 2025 — Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available. • https://github.com/owasp-modsecurity/ModSecurity/issues/3340 • CWE-172: Encoding Error •

CVE-2024-46292
https://notcve.org/view.php?id=CVE-2024-46292
09 Oct 2024 — A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue). • https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/README.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVE-2019-13464
https://notcve.org/view.php?id=CVE-2019-13464
09 Jul 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid. Se detectó un problema en OWASP ModSecurity Core Rule Set (CRS) versión 3.0.2. El uso de X.Filename en lugar de X_Filename puede omitir algunas reglas de PHP Script Uploads, porque PHP transforma automáticamente los puntos en guiones bajos en determinados... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1386 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2019-11391
https://notcve.org/view.php?id=CVE-2019-11391
21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity ** EN DISPUTA ** Se detecto un problema en OWASP ModSecurity Core Rule Set (CRS) versión 3.1.0. El archi... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357 • CWE-400: Uncontrolled Resource Consumption •

CVE-2019-11390
https://notcve.org/view.php?id=CVE-2019-11390
21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with set_error_handler# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity ** EN DISPUTA ** Un problema fue descubierto en OWASP ModSecurity Core Rule Set (CRS) ver... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1358 • CWE-400: Uncontrolled Resource Consumption •

CVE-2019-11389
https://notcve.org/view.php?id=CVE-2019-11389
21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with next# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity **EN DISPUTA ** Se detecto un problema en OWASP ModSecurity Core Rule Set (CRS) versión 3.1.0. El arch... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1356 • CWE-400: Uncontrolled Resource Consumption •

CVE-2019-11388
https://notcve.org/view.php?id=CVE-2019-11388
21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity ** EN DISPUTA ** Un problema fue descubierto en OWASP ModSecurity Core Rule Set (CRS) versión 3.1.0. El fichero /rules/REQUEST-93... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354 • CWE-400: Uncontrolled Resource Consumption •

CVE-2019-11387
https://notcve.org/view.php?id=CVE-2019-11387
21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. Un problema fue descubierto en OWASP ModSecurity Core Rule Set (CRS) versión 3.1.0. El fichero /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf permite a los atacantes remotos provocar una denegación de servicio (ReDOS) introduciendo una cadena especi... • https://coreruleset.org/20190627/announcement-owasp-modsecurity-core-rule-set-version-3-1-1 • CWE-400: Uncontrolled Resource Consumption •