{ "threat_severity" : "Moderate", "public_date" : "2025-06-02T15:46:19Z", "bugzilla" : { "description" : "mod_security: ModSecurity Denial of Service Vulnerability", "id" : "2369827", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2369827" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-1050", "details" : [ "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.", "A denial of service flaw was found in ModSecurity. This vulnerability is present in the `sanitiseArg`/`sanitizeArg` function can be overloaded with a large number of arguments which will lead to excessive memory usage when processing json values. This may lead to a denial of service in the affected web server should memory limits be exceeded." ], "statement" : "User configuration must have at least one rule that does a `sanitiseMatchedBytes` action to be affected. Default configurations are not affected.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:12838", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "mod_security-0:2.9.6-2.el9_6.1" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13716", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "mod_security-0:2.9.3-12.el9_0.2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13775", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "mod_security-0:2.9.6-1.el9_2.2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13670", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "mod_security-0:2.9.6-1.el9_4.2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "mod_security", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "mod_security", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss Core Services", "fix_state" : "Fix deferred", "package_name" : "mod_security", "cpe" : "cpe:/a:redhat:jboss_core_services:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-48866\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-48866\nhttps://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e\nhttps://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r\nhttps://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w\nhttps://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisearg" ], "name" : "CVE-2025-48866", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }