ModSecurity WAF Vulnerability Enables DoS Using Empty XML Elements
Posted inUncategorized

ModSecurity WAF Vulnerability Enables DoS Using Empty XML Elements


A newly disclosed vulnerability in ModSecurity, a widely used open-source web application firewall (WAF), exposes servers to denial-of-service (DoS) attacks by exploiting a flaw in the way the software parses empty XML elements.

The flaw, registered as CVE-2025-52891, affects ModSecurity versions 2.9.8 to before 2.9.11 and is rated with a CVSS v3 base score of 6.5 (moderate severity).

Vulnerability Details

The issue arises when the SecParseXmlIntoArgs feature is enabled (set to “On” or “OnlyArgs”).

If an incoming HTTP request has a Content-Type of application/xml and contains at least one empty XML tag (e.g., ), ModSecurity attempts to parse the XML node.

CVE ID Affected Versions Patched Version Severity CVSS
CVE-2025-52891 2.9.8–2.9.10 2.9.11 Moderate 6.5

The vulnerability is triggered because the software uses the strlen() function to determine the length of the XML node’s value; when the node is empty, strlen() is called on a null value, causing a segmentation fault and crashing the WAF process.

This crash can be exploited by an attacker to repeatedly send specially crafted XML payloads, effectively taking down the WAF and potentially exposing the protected web application to further attacks.

The vulnerability only affects mod_security2 and does not impact the newer libmodsecurity3 library, which is written in C++ and does not rely on the same parsing logic.

Impact and Mitigation

  • Attack Vector: Network (remote)
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required (malicious request)
  • Scope: Unchanged
  • Confidentiality/Integrity: None
  • Availability: High (DoS)

By default, the SecParseXmlIntoArgs directive is set to “Off,” so only installations that have enabled this feature are vulnerable.

Administrators are advised to immediately disable SecParseXmlIntoArgs or upgrade to the patched version 2.9.11 as soon as it becomes available.

The vulnerability was reported by Andrew Howe (@RedXanadu), with special thanks to contributors who assisted in identifying and patching the bug.

Administrators using ModSecurity are urged to review their configurations and apply mitigations or updates promptly to safeguard their web infrastructure.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free



Source link