VDB

OESA-2025-1676

OESA-2025-1676 PUBLISHED CVSS 9.300000190734863 CRITICAL

Security Fix(es): ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.(CVE-2025-48866)

Risk Scores

CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
openEuler:24.03-LTSmod_security0, 0
openEuler:22.03-LTS-SP3mod_security0, 0
openEuler:20.03-LTS-SP4mod_security0, 0
openEuler:24.03-LTS-SP1mod_security0, 0
openEuler:22.03-LTS-SP4mod_security0, 0

Timeline

  • Jun 27, 2025 CVE Published
  • Sep 3, 2025 CVE Updated
  • May 2, 2026 Security Advisory

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›