A newly found denial-of-service vulnerability within the ModSecurity Net Software Firewall (WAF) engine has safety specialists on excessive alert.
The flaw, designated CVE-2025-52891, impacts particular variations of mod_security2 and will be triggered by processing XML requests containing empty tags, doubtlessly inflicting full service disruption.
The vulnerability impacts mod_security2 variations 2.9.8, 2.9.9, and a couple of.9.10, however solely when directors have enabled the SecParseXmlIntoArgs characteristic.
This comparatively new performance, which parses XML nodes into ARGS and node paths into ARGS_NAMES for enhanced safety monitoring, turns into a legal responsibility when processing malformed XML content material.
ModSecurity is widely known because the “Swiss Military Knife” of WAFs and serves as the usual open-source internet utility firewall engine utilized by companies, authorities organizations, web service suppliers, and industrial WAF distributors worldwide.
Initially designed for Apache HTTP Server, it has developed to assist a number of platforms, together with Microsoft IIS and Nginx.
The vulnerability stems from improper dealing with of empty XML tags throughout the parsing course of. When SecParseXmlIntoArgs is ready to “On” or “OnlyArgs” and the system receives XML content material with Content material-Kind “utility/xml” containing no less than one empty tag (corresponding to <foo></foo>), a segmentation fault happens.
The basis trigger lies in ModSecurity’s use of the strlen() perform to compute the size of XML node values. When processing empty nodes, strlen() is utilized to a null worth, triggering the crash.
This represents a traditional null pointer dereference vulnerability, the place this system makes an attempt to entry reminiscence that hasn’t been allotted or has been deallocated.
Influence and Exploitation
Safety researchers charge this vulnerability with a average CVSS rating of 6.5/10, primarily as a result of particular configuration necessities wanted for exploitation. Nevertheless, the influence will be extreme for affected techniques:
Full service disruption by way of denial of service assaults
Server crashes requiring guide restart
No authentication required for exploitation
Distant assault vector enabling assaults from anyplace on the web
The vulnerability impacts solely mod_security2 installations and doesn’t influence libmodsecurity3, which is applied in C++ and doesn’t use the problematic strlen() perform. This architectural distinction highlights the significance of safe coding practices throughout completely different programming languages.
The vulnerability was found and reported by Andrew Howe (@RedXanadu), a cybersecurity knowledgeable based mostly in Melbourne, Australia. Howe is well-known within the safety group for his open-source safety analysis and contributions to penetration testing methodologies.
His work has been featured in safety textbooks, tutorial papers, {and professional} methodologies, together with the OWASP Testing Information.
Mitigation Methods
System directors have a number of choices to guard their installations:
Speedy Workaround: Set SecParseXmlIntoArgs to “Off” within the ModSecurity configuration. Since that is the default setting, many installations might already be protected.
Lengthy-term Resolution: Apply the forthcoming safety patch when it turns into accessible. The OWASP ModSecurity workforce has acknowledged the vulnerability and indicated {that a} patch is in improvement.
Configuration Evaluation: Audit present ModSecurity configurations to establish techniques utilizing the SecParseXmlIntoArgs characteristic and assess the need of this performance for particular use circumstances.
This vulnerability represents the most recent in a collection of safety points affecting ModSecurity installations. Earlier in 2025, the platform confronted different vital vulnerabilities, together with CVE-2025-48866, a high-severity denial of service flaw associated to the “sanitiseArg” motion that might be exploited by submitting extreme numbers of arguments.
The invention of CVE-2025-52891 underscores the continuing safety challenges going through internet utility firewalls, which function essential first traces of protection in opposition to web-based assaults. As these techniques course of more and more advanced and various internet site visitors, together with XML payloads, the assault floor continues to increase.
The OWASP ModSecurity undertaking, which transitioned from Trustwave to OWASP custody in early 2024, has been actively addressing safety points and implementing enhancements to the platform. The group has established new improvement processes and group engagement initiatives to foster continued safety enhancements.
Safety specialists advocate that organizations working ModSecurity conduct instant assessments of their configurations and implement applicable mitigation measures. The comparatively slender assault vector requiring particular configuration settings might restrict widespread exploitation, however affected techniques stay weak till correctly patched or reconfigured.
This incident serves as a reminder that even security-focused functions like internet utility firewalls require ongoing vigilance and immediate patching to take care of their protecting capabilities in opposition to evolving threats.
Examine reside malware habits, hint each step of an assault, and make quicker, smarter safety choices -> Strive ANY.RUN now
