CVE-2025-47947: 
Alma Linux vulnerability analysis and mitigation

ModSecurity, an open source cross-platform web application firewall (WAF) engine for Apache, IIS and Nginx, contains a denial of service vulnerability (CVE-2025-47947) in versions up to and including 2.9.8. The vulnerability was discovered and reported by Simon Studer from Netnea on behalf of Swiss Post (GitHub Advisory).

The vulnerability is triggered under specific conditions when processing JSON payloads with content type 'application/json' and when there is at least one rule using a 'sanitiseMatchedBytes' action. When processing JSON payloads, all variables are produced simultaneously and processed sequentially. If an operator matches, the sanitiseMatchedBytes action adds all processed JSON variables repeatedly, leading to exponential growth in memory usage. For example, a payload with 1,000 items would result in 1,000,000 variables to sanitize. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory, NVD).

The vulnerability can lead to a denial of service condition through high memory consumption. A single request with a specially crafted JSON payload is sufficient to trigger the issue, causing the system to run out of memory after just a few requests (GitHub Advisory, Wiz).

A patch is available in pull request 3389 and is expected to be included in version 2.9.9. No known workarounds are available for this vulnerability (NVD, GitHub PR).