Login Sign Up

CVE-2025-47947

7.5 HIGH
Denial of Service

📋 TL;DR

ModSecurity versions up to 2.9.8 are vulnerable to a denial-of-service attack when processing JSON payloads with specific rule configurations. Attackers can crash the WAF by sending specially crafted JSON requests to applications protected by vulnerable ModSecurity installations. This affects all users running ModSecurity with rules using sanitiseMatchedBytes actions.

💻 Affected Systems

Products:
  • ModSecurity
Versions: All versions up to and including 2.9.8
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using rules with sanitiseMatchedBytes actions and processing application/json content type

📦 What is this software?

Modsecurity by Trustwave

View all CVEs affecting Modsecurity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete WAF service disruption leading to unprotected web applications and potential application downtime

🟠

Likely Case

Intermittent WAF crashes requiring service restarts, creating windows of vulnerability

🟢

If Mitigated

Minimal impact with proper monitoring and rapid response to service interruptions

🌐 Internet-Facing: HIGH - Web applications are directly exposed to internet traffic that can trigger this vulnerability
🏢 Internal Only: MEDIUM - Internal applications could still be targeted by authenticated users or compromised internal systems

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending HTTP requests with application/json content type to trigger vulnerable rule processing

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.9

Vendor Advisory: https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r

Restart Required: Yes

Instructions:

1. Download ModSecurity 2.9.9 or later from official repository. 2. Apply patch from pull request #3389 if using older version. 3. Recompile and reinstall ModSecurity. 4. Restart web server (Apache/Nginx/IIS).

🔧 Temporary Workarounds

Disable JSON processing for vulnerable rules

all

Temporarily disable or modify rules using sanitiseMatchedBytes actions for JSON content

# Edit ModSecurity rules to exclude application/json from sanitiseMatchedBytes rules
# Example: Add '!@rx application/json' condition to vulnerable rules

🧯 If You Can't Patch

  • Implement rate limiting on JSON endpoints to reduce DoS impact
  • Deploy secondary WAF or load balancer with failover capabilities

🔍 How to Verify

Check if Vulnerable:

Check ModSecurity version and review rules for sanitiseMatchedBytes usage: modsecurity -V && grep -r 'sanitiseMatchedBytes' /path/to/rules/

Check Version:

modsecurity -V

Verify Fix Applied:

Verify version is 2.9.9 or later: modsecurity -V | grep 'Version'

📡 Detection & Monitoring

Log Indicators:

  • ModSecurity process crashes
  • High volume of JSON requests with unusual patterns
  • Rule processing errors for application/json content

Network Indicators:

  • Spike in HTTP 500 errors
  • Unusual JSON payload sizes or structures

SIEM Query:

source="modsec.log" AND ("crash" OR "segfault" OR "sanitiseMatchedBytes")

📊 Metadata

CVE ID: CVE-2025-47947
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1050
EPSS Score: 0.18% exploit probability (39.5th percentile)
Published: May 21, 2025
Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47947, you might also want to check these:

CVE-2025-67419 7.5

An unauthenticated Denial of Service vulnerability in evershop allows attackers to crash application...

Same vulnerability type (CWE-1050)
CVE-2024-4068 7.5

The braces NPM package versions before 3.0.3 contain a memory exhaustion vulnerability where special...

Same vulnerability type (CWE-1050)