A newly disclosed vulnerability in ModSecurity2 firewall, tracked as CVE-2025-47947, has raised concerns over potential Denial of Service (DoS) attacks under specific, rare conditions. The issue was officially published on May 21, 2025, and is rated 7.5 (High) on the CVSS scale.
The vulnerability was initially reported privately by a customer in March 2025. After initial attempts to reproduce the bug proved unsuccessful, further analysis and collaboration eventually uncovered the root cause. According to developers, the delay in resolving the issue was due to the complexity of reproducing the specific conditions under which the flaw manifests.
CVE-2025-47947 Technical Details
The issue lies in two specific non-disruptive actions within ModSecurity2: sanitiseMatched and sanitiseMatchedBytes. These actions are designed to obscure sensitive data in logs by replacing matched variables, such as argument names or values with an asterisk (*) in the audit log’s section C (request body).
When these actions are triggered, they iterate over matched arguments in the request body. In cases where argument names are duplicated with large payloads and the action may loop excessively. For example, a request containing 500 identical arguments would cause the engine to perform 500 x 500 iterations, leading to 250,000 items stored in memory for just one rule. Multiple such rules could further compound the issue, consuming excessive system resources and potentially leading to a Denial of Service.
This vulnerability only affects ModSecurity version 2.x and does not impact libmodsecurity3, which lacks support for the sanitiseMatched and sanitiseMatchedBytes actions.
Remediation of CVE-2025-47947
The development team has addressed the issue with the release of ModSecurity version 2.9.9. All users of ModSecurity2 are strongly advised to upgrade immediately to avoid potential exploitation.
In the course of addressing this vulnerability, the team identified areas for improvement in the sanitization process. Plans are underway to redesign the mechanism and potentially implement an enhanced version in libmodsecurity3, ensuring better performance and security against similar issues in the future.
Administrators using ModSecurity2 should update to version 2.9.9 without delay. Monitoring systems for abnormal memory or CPU usage may also help detect attempted exploitation of the vulnerability.
Source: hxxps[://]modsecurity[.]org/20250521/possible-dos-vulnerability-cve-2025-47947-2025-may/
