We would like to share our take on CVE-2025-48866, which was published on June 2, 2025.
We recently fixed a DoS vulnerability in mod_security2 (see the blog post), affecting sanitiseMatched
and sanitiseMatchedBytes
. After we released the version which contains the fix, we reviewed our code for similar issues.
During this code review we found that the sanitiseArg
(and sanitizeArg
- this is the same action but an alias) action’s behavior is vulnerable to DoS in a similar way - except that the rule writer must specify an argument for the action, e.g.,
SecRule ... "...,sanitiseArg:password..."
Only the specified argument will be sanitized. See the action’s reference.
Although the CVE rating is high (7.5/10, high), the flaw can only be exploited under very specific circumstances.
The issue only affects mod_security2. libmodsecurity3 is not affected as the concerned actions are not supported.
Explanation
There is a non-disruptive action in mod_security2: sanitiseArg. When a rule uses this action, matching variables (which can be argument names or values) will be masked by asterisks (*
) in the audit.log, section C (request body).
The action is called every time the argument name matches with the given name to action, after examining the variable (e.g., ARGS
). For example, if the ARGS
length were 500 and all of them match with the action’s argument, the action would be called 500 times. The action searches all parsed arguments with matching names and all matched argument names are added to the list of arguments to be sanitized - similar as we explained in previous blog post.
This bug only affects mod_security2, probably all 2.x versions. It does not affect libmodsecurity3 as it does not support the sanitiseArg.