CVE-2025-52891
📋 TL;DR
This vulnerability in ModSecurity causes a segmentation fault when processing XML requests containing empty tags, leading to denial of service. It affects ModSecurity installations with SecParseXmlIntoArgs enabled and processing application/xml content. The vulnerability can crash the WAF, potentially exposing backend applications to attacks.
💻 Affected Systems
- ModSecurity
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete WAF failure allowing unfiltered attacks to reach backend applications, potentially leading to data breaches or system compromise.
Likely Case
Denial of service causing WAF to crash, requiring manual restart and temporary loss of web application protection.
If Mitigated
Minimal impact if workaround is applied or vulnerable configuration is not used.
🎯 Exploit Status
Simple XML payload can trigger the crash without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.11
Vendor Advisory: https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-gw9c-4wfm-vj3x
Restart Required: Yes
Instructions:
1. Download ModSecurity 2.9.11 from official repository. 2. Follow standard installation procedures for your platform. 3. Restart web server to apply changes.
🔧 Temporary Workarounds
Disable XML parsing into arguments
allSet SecParseXmlIntoArgs to Off to prevent the vulnerable code path from being triggered.
SecParseXmlIntoArgs Off
🧯 If You Can't Patch
- Implement network filtering to block or sanitize XML requests with empty tags before reaching ModSecurity.
- Deploy additional WAF or reverse proxy layer to handle XML parsing before requests reach vulnerable ModSecurity instance.
🔍 How to Verify
Check if Vulnerable:
Check ModSecurity version and configuration: 1. Verify version is between 2.9.8-2.9.10. 2. Check if SecParseXmlIntoArgs is On or OnlyArgs.Check Version:
modsecurity -VVerify Fix Applied:
1. Confirm version is 2.9.11 or higher. 2. Test with XML request containing empty tags to ensure no segmentation fault occurs.📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in web server logs
- ModSecurity process crashes
- Unusual XML requests with empty tags
Network Indicators:
- Spike in XML requests with empty tags
- Web server becoming unresponsive after XML requests
SIEM Query:
source="modsecurity.log" AND ("segmentation fault" OR "SIGSEGV" OR "crash")