Merge pull request #93 from owasp-modsecurity/v2release20250521

airween · web-flow · commit 7becc791be36 · 2025-05-21T22:00:15.000+02:00
docs: add blog post about new release of v2
diff --git a/content/blog/2025-05-21-cve-2025-47947.md b/content/blog/2025-05-21-cve-2025-47947.md
@@ -0,0 +1,34 @@
+---
+title: 'Possible DoS vulnerability: CVE-2025-47947 - 2025 May'
+date: '2025-05-21T00:00:00+02:00'
+author: airween
+---
+
+We would like to share our take on [CVE-2025-47947](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-47947), which was published on May 21, 2025.
+
+<!--more-->
+
+An issue was described in March from a customer in a private report. We tried to reproduce that, but first time we weren't able to. After some further discussions we were able to successfully resolve the issue and later found the root cause. This is why it took a while.
+
+Although the CVE rating is high (7.5/10, high), the flaw can only be exploited in very rare cases.
+
+The problem only affects mod_security2, not libmodsecurity3 at all.
+
+### Explanation
+
+There are two non-disruptive actions in mod_security2: [sanitiseMatched](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#user-content-sanitiseMatched) and [sanitiseMatchedBytes](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#sanitisematchedbytes). If a rule uses one of these actions, in audit.log section C (request body) the matched variable (which can be the argument name or the value) will be replaced by a `*` (asterisk).
+
+The used action (`sanitiseMatched` or `sanitiseMatchedBytes`) is called every time the operator returns TRUE after examining the variable (e.g. `ARGS`). If the `ARGS` length is 500, this means it is called 500 times. The operation searches all parsed arguments with matching names. In this case, all found names are added to the list of arguments to be sanitized.
+
+If the arguments name in the request body are the same, all arguments will be added - in one loop. As it was mentioned above, if the length is 500 then this will hapen 500 times. And 500 * 500 equals 250 000. This means the engine needs to store 250 000 arguments in the memory - for one action. If you have more rules with any `sanitise*` actions, then you should multiply with that.
+
+This can lead to a DoS, because storing these items takes much memory and CPU time.
+
+This bug only affects mod_security2, probably all 2.x versions. It does not affect libmodsecurity3 as it does not support the [sanitiseMatched](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#sanitisematched) and [sanitiseMatchedBytes](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#sanitisematchedbytes).
+
+We have fixed this issue and released version [v2.9.9](https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9) with the fix - please upgrade as soon as possible.
+
+During the analysis we found some unexpected behavior and realized that this solution is not the best. We are trying to improve the sanitisation mechanism and will probably implement it in libmodsecurity3 as well.
+
+
+Ervin Hegedüs
