We would like to share our take on CVE-2025-47947, which was published on May 21, 2025.
An issue was described in March from a customer in a private report. We tried to reproduce that, but first time we weren’t able to. After some further discussions we were able to successfully resolve the issue and later found the root cause. This is why it took a while.
Although the CVE rating is high (7.5/10, high), the flaw can only be exploited in very rare cases.
The problem only affects mod_security2, not libmodsecurity3 at all.
Explanation
There are two non-disruptive actions in mod_security2: sanitiseMatched and sanitiseMatchedBytes. If a rule uses one of these actions, in audit.log section C (request body) the matched variable (which can be the argument name or the value) will be replaced by a * (asterisk).
The used action (sanitiseMatched or sanitiseMatchedBytes) is called every time the operator returns TRUE after examining the variable (e.g. ARGS). If the ARGS length is 500, this means it is called 500 times. The operation searches all parsed arguments with matching names. In this case, all found names are added to the list of arguments to be sanitized.
If the arguments name in the request body are the same, all arguments will be added - in one loop. As it was mentioned above, if the length is 500 then this will happen 500 times. And 500 * 500 equals 250 000. This means the engine needs to store 250 000 arguments in the memory - for one action. If you have more rules with any sanitise* actions, then you should multiply with that.
This can lead to a DoS, because storing these items takes much memory and CPU time.
This bug only affects mod_security2, probably all 2.x versions. It does not affect libmodsecurity3 as it does not support the sanitiseMatched and sanitiseMatchedBytes.
We have fixed this issue and released version v2.9.9 with the fix - please upgrade as soon as possible.
During the analysis we found some unexpected behavior and realized that this solution is not the best. We are trying to improve the sanitisation mechanism and will probably implement it in libmodsecurity3 as well.