Vulnerability DatabaseCVE-2022-39957

CVE-2022-39957:
ModSecurity vulnerability analysis and mitigation

Overview

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass vulnerability (CVE-2022-39957) discovered during the Intigriti 1337UP0522 WAF Promotion Event. The vulnerability was reported by Karel Knibbe (@Karel_Origin) and affects legacy CRS versions 3.0.x and 3.1.x, as well as versions 3.2.1 and 3.3.2 (CRS Blog).

Technical details

The vulnerability allows a client to issue an HTTP Accept header field containing an optional charset parameter to receive the response in an encoded form. Depending on the charset, this response cannot be decoded by the web application firewall. This means a restricted resource that would normally be detected can bypass detection (NVD, CRS Blog).

Impact

When successfully exploited, this vulnerability allows attackers to bypass the web application firewall's response body inspection. A restricted resource that would ordinarily be detected can be accessed without triggering the WAF's detection mechanisms (Debian LTS).

Mitigation and workarounds

Users and integrators are advised to upgrade to CRS versions 3.2.2/3.2.3 or 3.3.3/3.3.4 to address this vulnerability. The issue was fixed in these releases as part of a broader security update that addressed multiple vulnerabilities (CRS Blog, Debian LTS).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.5

Score

Published September 20, 2022

Severity HIGH

CNA Score 7.3

Affected Technologies

ModSecurity
Linux Debian

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 20.9

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

mod_security-mlogc
www-apache/modsecurity-crs

Sources

NVD
Debian Security Tracker
- Debian 10, 11, 12 Severity HIGHHas FixAdded at: Sep 20, 2022
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025
Gentoo Advisory Database
- Gentoo Severity LOWHas FixAdded at: May 22, 2023
Red Hat Errata
- Red Hat 7, 8, 9 Severity MEDIUMNo FixAdded at: Sep 30, 2022

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related ModSecurity vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-27110	HIGH	7.9	ModSecurity	cpe:2.3:a:trustwave:modsecurity	No	Yes	Feb 25, 2025
CVE-2025-48866	HIGH	7.5	Rocky Linux	mod_security-mlogc	No	Yes	Jun 02, 2025
CVE-2025-47947	HIGH	7.5	Rocky Linux	mod_security-mlogc-debuginfo	No	Yes	May 21, 2025
CVE-2025-54571	MEDIUM	6.9	ModSecurity	apache2-mod_security2	No	Yes	Aug 06, 2025
CVE-2025-52891	MEDIUM	6.5	ModSecurity	mod_security-debuginfo	No	Yes	Jul 02, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2022-39957: ModSecurity vulnerability analysis and mitigation