%20(2)%20(1).webp?w=1600&resize=1600,900&ssl=1)
A newly disclosed vulnerability, identified as CVE-2025-52891, has been found in ModSecurity2, a widely used open-source web application firewall (WAF) for platforms such as Apache, IIS, and Nginx.
The flaw, rated as moderate severity, affects versions 2.9.8 through 2.9.10 and is triggered when the SecParseXmlIntoArgs directive is set to On or OnlyArgs and the incoming HTTP request has a content type of application/xml containing at least one empty XML tag (for example, <foo></foo>).
The vulnerability causes a segmentation fault, a critical error that abruptly crashes the WAF process and can disrupt service availability.
The root cause lies in the way ModSecurity2 parses XML payloads when the SecParseXmlIntoArgs feature is enabled. Specifically, the code incorrectly applies the strlen() function to a null value when encountering an empty XML node, leading to invalid memory access and process termination.
Relevant Configuration Example:
textSecParseXmlIntoArgs On
With the above setting, any request with an empty XML tag, such as:
xml<foo></foo>
can trigger a segmentation fault.
Impact, Mitigation, and Patch Details
Impact:
This vulnerability can be exploited by sending specially crafted XML requests to any web application protected by a vulnerable ModSecurity2 instance with SecParseXmlIntoArgs enabled.
The result is a denial-of-service (DoS) attack, as the WAF process crashes and ceases to filter or protect the underlying application until it is manually restarted.
Notably, the default value for SecParseXmlIntoArgs is Off, meaning only systems where administrators have explicitly enabled this feature are at risk.
Mitigation and Workaround:
A patch is available in version 2.9.11 of ModSecurity2, which removes the unsafe use of strlen() and properly handles empty XML nodes.
Administrators are strongly advised to upgrade to this version as soon as possible.
For those unable to upgrade immediately, a temporary workaround is to set the directive to Off:
textSecParseXmlIntoArgs Off
This change prevents the WAF from attempting to parse XML nodes into arguments, thus avoiding the crash scenario.
Reporter and Acknowledgements:
The issue was reported by Andrew Howe (@RedXanadu), with contributions from several community members in identifying and resolving the bug.
Summary Table:
| Affected Versions | Fixed Version | Trigger Condition | Workaround |
|---|---|---|---|
| 2.9.8–2.9.10 | 2.9.11 | Empty XML tag | SecParseXmlIntoArgs Off |
Administrators should review their ModSecurity2 configurations and apply the patch or workaround to maintain robust web application security.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
%20(2)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The%20flaw,%20rated%20as%20moderate%20severity,%20affects%20versions%202.9.8%20through%202.9.10%20and%20is%20triggered%20when%20the%20SecParseXmlIntoArgs%20directive%20is%20set%20to%20On){kind=link}