CVE-2025-27110 – Libmodsecurity3 version 3.0.13 fails to decode ... (How to Fix)

Q: What is the severity of CVE-2025-27110?

CVE-2025-27110 has a CVSS score of 7.5 (HIGH). Libmodsecurity3 version 3.0.13 fails to decode HTML entities containing leading zeroes, potentially allowing attackers to bypass web application firewall rules. This affects any system using ModSecurity v3 with the vulnerable library version. The vulnerability could enable evasion of security controls designed to detect malicious web traffic.

📋 TL;DR

Libmodsecurity3 version 3.0.13 fails to decode HTML entities containing leading zeroes, potentially allowing attackers to bypass web application firewall rules. This affects any system using ModSecurity v3 with the vulnerable library version. The vulnerability could enable evasion of security controls designed to detect malicious web traffic.

💻 Affected Systems

Products:

ModSecurity v3
Libmodsecurity3

Versions: Version 3.0.13 only

Operating Systems: All platforms running vulnerable library

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using ModSecurity v3 with the specific vulnerable library version. ModSecurity v2 and other versions are not affected.

📦 What is this software?

Modsecurity by Trustwave

View all CVEs affecting Modsecurity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers successfully bypass WAF protections, delivering payloads that would normally be blocked, leading to successful attacks like SQL injection, XSS, or remote code execution.

🟠

Likely Case

Limited WAF bypass for specific encoded payloads, potentially allowing some attacks to evade detection while other security layers may still catch them.

🟢

If Mitigated

With proper defense-in-depth including application-level validation and other security controls, impact is reduced even if WAF bypass occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting specific HTML entities with leading zeroes to bypass WAF rules. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.0.14

Vendor Advisory: https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-42w7-rmv5-4x2j

Restart Required: No

Instructions:

1. Update Libmodsecurity3 to version 3.0.14 or later. 2. Recompile/relink any applications using the library. 3. Verify the update was successful.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states no known workarounds exist for this vulnerability.

🧯 If You Can't Patch

Implement additional application-level input validation and sanitization
Deploy additional WAF or security controls in front of vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check Libmodsecurity3 version: If version is exactly 3.0.13, system is vulnerable.

Check Version:

Check library version through your distribution's package manager or compile-time version information.

Verify Fix Applied:

Verify Libmodsecurity3 version is 3.0.14 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual patterns of encoded HTML entities in web traffic
Requests that should be blocked by WAF rules but aren't

Network Indicators:

HTTP requests containing HTML entities with leading zeroes (e.g., <)

SIEM Query:

Search for web requests containing patterns like '&#0*[0-9]+;' in URI or POST data

📊 Metadata

CVE ID: CVE-2025-27110

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-172

EPSS Score: 0.14% exploit probability (34.8th percentile)

Published: February 25, 2025

Last Updated: February 28, 2025

🔗 References

https://github.com/owasp-modsecurity/ModSecurity/issues/3340 Exploit,Issue Tracking
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-42w7-rmv5-4x2j Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON