Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-52891

Опубликовано: 02 июл. 2025
Источник: debian
EPSS Низкий

Описание

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
modsecurity-apachefixed2.9.11-1package
modsecurity-apachenot-affectedbookwormpackage
modsecurity-apachenot-affectedbullseyepackage

Примечания

  • https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-gw9c-4wfm-vj3x

  • Introduced with: https://github.com/owasp-modsecurity/ModSecurity/commit/0c8cc6e2cf88ba2da48dffe29807521c36ed8ce1 (v2.9.9)

  • Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/ca99ccd23fd92c002a3901e890b4b6ea394f292b (v2.9.11)

  • Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/89d3ad38c5a964f760af240e3ace3467bb729a64 (v2.9.11)

  • Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/f9e81f2c78188b486dee6d76fd274d06e15d0a71 (v2.9.11)

  • Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/8cb7fc82fecd182369bcffd93ab81f48d9c0a18c (v2.9.11)

  • Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/e56d62960eee41e4ed92c8acafe5cad80047601a (v2.9.11)

  • Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/8879413abf507b1921f6feb292ee91e0f0064b01 (v2.9.11)

EPSS

Процентиль: 19%
0.00061
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2025-52891

CVSS3: 6.5
ubuntu
около 1 месяца назад

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

redhat логотип

CVE-2025-52891

CVSS3: 4.3
redhat
около 1 месяца назад

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

nvd логотип

CVE-2025-52891

CVSS3: 6.5
nvd
около 1 месяца назад

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

EPSS

Процентиль: 19%
0.00061
Низкий