CVE-2025-48866
Published: 02 June 2025
Summary
CVE-2025-48866 is a high-severity Excessive Platform Resource Consumption within a Loop (CWE-1050) vulnerability in Owasp Modsecurity. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ModSecurity is an open source web application firewall engine supporting Apache, IIS, and Nginx. Versions prior to 2.9.10 contain a denial-of-service vulnerability in the sanitiseArg and sanitizeArg actions (the latter an alias), which can be abused to add an excessive number of arguments and exhaust resources. The flaw is comparable to the earlier issue tracked as GHSA-859r-vvv8-rm8r/CVE-2025-47947 and carries a CVSS 3.1 score of 7.5 reflecting high availability impact with network attack vector and no required credentials.
An unauthenticated remote attacker can trigger the condition simply by sending HTTP requests that match WAF rules employing the affected actions, resulting in service disruption without any impact on confidentiality or integrity. Exploitation requires the presence of such rules; otherwise the vulnerable code path is not reached.
The project addressed the issue in release 2.9.10 via commit 3a54ccea. Official guidance recommends upgrading or, as a workaround, removing any rules that reference sanitiseArg or sanitizeArg. Related advisories and distribution notices (including Debian LTS) reiterate the same upgrade and avoidance steps.
EPSS remains flat at 0.0107 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16670
Vulnerability details
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action…
more
but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.