vulnerability
Amazon Linux 2023: CVE-2025-52891: Medium priority package update for mod_security
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Jul 2, 2025 | Aug 19, 2025 | Aug 19, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Published
Jul 2, 2025
Added
Aug 19, 2025
Modified
Aug 19, 2025
Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.
Solutions
amazon-linux-2023-upgrade-mod-securityamazon-linux-2023-upgrade-mod-security-debuginfoamazon-linux-2023-upgrade-mod-security-debugsourceamazon-linux-2023-upgrade-mod-security-mlogcamazon-linux-2023-upgrade-mod-security-mlogc-debuginfo
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.