We would like to share our take on CVE-2025-52891, which was published on July 1, 2025.
The vulnerability was reported by Andrew Howe (@RedXanadu). He had discovered that the engine, mod_security2 only, will crash when SecParseXmlIntoArgs is used in combination with specific payloads.
SecParseXmlIntoArgs is a new feature in both mod_security2 and libmodsecurity3. If the administrator sets this configuration directive to On or ArgsOnly then the engine will parse XML nodes into ARGS and the node paths into ARGS_NAMES. For detailed information on this new feature, please read the documentation, or see the PR.
During the code review we found that if the feature was set to On or ArgsOnly, and the XML payload contained an empty node (for example <foo></foo>), then it triggered a crash.
The CVE rating for this vulnerability is only moderate (6.5/10), and because the default setting of this variable is Off, if you haven’t configured the directive, you’re not affected.
The issue only affects mod_security2. libmodsecurity3 is not affected as it’s a C++ library and does not use strlen() (here) at all.
Explanation
The problem was that we used the strlen() function to compute the length of a node’s value, but when a node was empty, strlen() would be applied to the null value.
We reviewed the affected code and removed uses of strlen() where it was possible. Note that libxml2 (the XML parser used by mod_security2) does not allow any \0 characters in neither nodes nor values.
This bug only affects mod_security2, and only versions 2.9.8, 2.9.9 and 2.9.10. It does not affect libmodsecurity3.
Special thanks
I would like to thank @theseion, @fzipi, @RedXanadu for their help.