Cyber Resilience

CVE-2025-48866

HighPublic PoC

Published: 02 June 2025

Published
02 June 2025
Modified
02 July 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0107 78.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48866 is a high-severity Excessive Platform Resource Consumption within a Loop (CWE-1050) vulnerability in Owasp Modsecurity. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ModSecurity is an open source web application firewall engine supporting Apache, IIS, and Nginx. Versions prior to 2.9.10 contain a denial-of-service vulnerability in the sanitiseArg and sanitizeArg actions (the latter an alias), which can be abused to add an excessive number of arguments and exhaust resources. The flaw is comparable to the earlier issue tracked as GHSA-859r-vvv8-rm8r/CVE-2025-47947 and carries a CVSS 3.1 score of 7.5 reflecting high availability impact with network attack vector and no required credentials.

An unauthenticated remote attacker can trigger the condition simply by sending HTTP requests that match WAF rules employing the affected actions, resulting in service disruption without any impact on confidentiality or integrity. Exploitation requires the presence of such rules; otherwise the vulnerable code path is not reached.

The project addressed the issue in release 2.9.10 via commit 3a54ccea. Official guidance recommends upgrading or, as a workaround, removing any rules that reference sanitiseArg or sanitizeArg. Related advisories and distribution notices (including Debian LTS) reiterate the same upgrade and avoidance steps.

EPSS remains flat at 0.0107 with no material increase after disclosure.

EU & UK References

Vulnerability details

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action…

more

but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

owasp
modsecurity
≤ 2.9.10

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References