ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HOwasp Modsecurity
APPOwasp< 2.9.10
Related vulnerabilities
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx....
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx....
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via...
Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.
Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsi...