ModSecurity Flaw Lets Hackers Crash Web Servers

A newly disclosed vulnerability in ModSecurity, one of the most widely used open-source web application firewalls, could allow attackers to crash affected systems. Tracked as CVE-2025-48866, the flaw impacts all versions of mod_security2 prior to 2.9.10 and stems from improper handling of the `sanitiseArg` and `sanitizeArg` actions. Attackers can exploit the vulnerability remotely without authentication, triggering a denial-of-service condition by overwhelming system resources through excessive argument sanitization loops.

The vulnerability, rated with a CVSS score of 7.5, arises when rules explicitly define arguments for sanitization, leading to repeated function calls that can exhaust server resources. The flaw does not affect the newer libmodsecurity3, which lacks support for the problematic functions.

ModSecurity’s development team recommends upgrading to version 2.9.10. As a temporary workaround, administrators should disable vulnerable rule actions and monitor systems for abnormal resource usage. The issue was discovered during a follow-up code review after a similar flaw, CVE-2025-47947.