CVE-2025-52891: 
ModSecurity vulnerability analysis and mitigation

ModSecurity, an open source cross-platform web application firewall (WAF) engine for Apache, IIS and Nginx, contains a vulnerability (CVE-2025-52891) affecting versions 2.9.8 to before 2.9.11. The vulnerability was discovered by Andrew Howe (@RedXanadu) and disclosed in July 2025. The issue occurs when SecParseXmlIntoArgs is set to 'On' or 'OnlyArgs' and the request type is application/xml containing at least one empty XML tag (GITHUB ADVISORY).

The vulnerability stems from improper input validation when processing empty XML tags. When an empty XML node is encountered, the software attempts to use the strlen() function on a null value, resulting in a segmentation fault. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability requires network access and user interaction but no privileges for exploitation (GBHACKERS).

The primary impact of this vulnerability is on system availability. When successfully exploited, it can cause a segmentation fault leading to a denial-of-service (DoS) condition. The crash of the WAF process could potentially expose the protected web application to further attacks. The vulnerability does not affect confidentiality or integrity of the system (GITHUB ADVISORY).

The vulnerability has been patched in ModSecurity version 2.9.11. For systems that cannot immediately update, a workaround is available by setting SecParseXmlIntoArgs to 'Off'. The vulnerability only affects mod_security2 and does not impact the newer libmodsecurity3 library (GITHUB ADVISORY, GBHACKERS).