vulnerability
Ubuntu: USN-7567-1 (CVE-2025-48866): ModSecurity vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | Jun 2, 2025 | Jun 17, 2025 | Apr 16, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Jun 2, 2025
Added
Jun 17, 2025
Modified
Apr 16, 2026
Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
Solutions
ubuntu-pro-upgrade-libapache2-mod-security2ubuntu-pro-upgrade-libapache2-modsecurityubuntu-upgrade-libapache2-mod-security2
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.