We would like to share our take on CVE-2025-27110, which was published on February 25, 2025.
On February 13 an issue was opened in ModSecurity repository by Max Leske on behalf of the CRS team. As the issue describes, the t:htmlEntityDecode transformation suddenly no longer decoded some HTML entities that it previously had.
After a quick review we found this commit which belongs to PR #3231. In that modification, the author changed the dynamic memory allocation solution with a fixed length buffer, a well intended optimization.
The consequence of the change is that if the encoded HTML entity contains leading zeroes (regardless of whether entity is in hexadecimal or decimal format) the transformation does not process the entity as expected (the padding should be ignored).
This faulty behavior opens the door to trivial bypasses to all rules the use the t:htmlEntityDecode transformation. The impact score is 7.9.
This bug only affects libmodsecurity3, v3.0.13, which was released on Sep 3, 2024. The previous versions are not affected by this bug.
We have fixed this issue and released version v3.0.14 with the fix - please upgrade as soon as possible.
In addition to improving the transformation, regression tests have been added to prevent the same thing from happening again in the future.