Source: modsecurity-apache X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for modsecurity-apache. CVE-2025-47947[0]: | ModSecurity is an open source, cross platform web application | firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and | including 2.9.8 are vulnerable to denial of service in one special | case (in stable released versions): when the payload's content type | is `application/json`, and there is at least one rule which does a | `sanitiseMatchedBytes` action. A patch is available at pull request | 3389 and expected to be part of version 2.9.9. No known workarounds | are available. https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-47947 https://www.cve.org/CVERecord?id=CVE-2025-47947 Please adjust the affected versions in the BTS as needed.
