High Risk DoS Vulnerability in ModSecurity WAF
Summary
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.
| OEM | ModSecurity |
| Severity | HIGH |
| CVSS Score | 7.5 |
| CVEs | CVE-2025-48866 |
| CWEs | CWE-1050 |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A Denial of Service (DoS) vulnerability has been identified in ModSecurity, an open-source web application firewall (WAF) used with Apache, Nginx and IIS.
The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10.
There is no user interaction required to trigger, exploiting it can lead to significant resource consumption, resulting in service disruption.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Denial of Service (DoS) vulnerability | CVE-2025-48866 | Modsecurity WAF | High | v2.9.10 |
Technical Summary
The vulnerability arises from the behavior of the “sanitiseArg” (also referred to as “sanitizeArg”) action in ModSecurity. This action sanitizes a specific argument passed to a rule (e.g.- password), masking it in the logs by replacing its value with asterisks (*).
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-48866 | ModSecurity (mod_security2.x) prior to v2.9.10 | When a rule uses the sanitiseArg action, it processes each argument that matches the specified name (e.g – password). If a large number of matching arguments (e.g.- 500 or more) are passed, ModSecurity repeatedly adds them to memory, which can lead to excessive memory consumption and potentially crash the system. | System crashes due to resource exhaustion (DoS) |
Remediation:
Apply Patches Promptly: Upgrade to ModSecurity version 2.9.10 or the latest one.
Avoid using the “sanitizeArg” or “sanitizeArg” actions in your rules. If these actions are not used, the engine will not be affected by the vulnerability.
Conclusion:
This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection.
Although the vulnerability is rated as high, it requires a specific set of conditions to be exploited. But to ensure the continued stability and security of web applications, the fix needs to be applied as soon as possible.
References: