A critical vulnerability in ModSecurity’s Apache module has been disclosed, potentially exposing millions of web servers worldwide to denial-of-service attacks.
The flaw, tracked as CVE-2025-47947 and assigned a CVSS score of 7.5, affects the popular open-source web application firewall’s handling of JSON payloads under specific conditions.
Security researchers have confirmed that attackers can exploit this vulnerability with minimal effort, requiring only a single crafted request to consume excessive server memory and potentially crash targeted systems.
.png
)
ModSecurity DoS Flaw (CVE-2025-47947)
The vulnerability was initially reported in March 2025 by Simon Studer from Netnea on behalf of Swiss Post, though it took several months for developers to successfully reproduce and understand the root cause.
CVE-2025-47947 specifically affects mod_security2, the Apache module version of ModSecurity, while the newer libmodsecurity3 implementation remains unaffected.
The flaw emerges when two specific conditions are met simultaneously: the incoming payload must have a Content-Type of application/json, and there must be at least one active rule utilizing the sanitiseMatchedBytes action.
Under these circumstances, ModSecurity’s memory consumption escalated exponentially, leading to system instability and potential service interruption.
Technical analysis reveals that the vulnerability stems from ModSecurity’s flawed handling of the sanitiseMatchedBytes and sanitiseMatched actions when processing JSON data structures.
During normal operation, these actions are designed to replace matched variables with asterisks (*) in audit logs for security purposes. However, when processing JSON payloads, the engine exhibits problematic behavior in its argument sanitization mechanism.
According to the technical analysis, if a JSON payload contains 1,000 elements, the rule evaluates each element and adds it to a sanitization list.
This process occurs 1,000 times, resulting in approximately 1,000,000 variables being stored in memory for a single action.
The bloated list is maintained in Apache’s APR table, which expands dynamically, causing severe memory exhaustion.
A proof-of-concept demonstration involves generating a JSON payload with 1,000 items using the command: python3 -c “print(‘[%s]’ % ‘,’.join([‘1234567890123456’] * 1000))” > payload.json.
Attackers can then transmit this payload repeatedly using simple HTTP POST requests, with security researchers confirming that “only one request is enough to reproduce this high memory consumption”.
| Risk Factors | Details |
| Affected Products | ModSecurity (mod_security2) versions 2.x up to and including 2.9.8 (Apache module). Does not affect libmodsecurity3 (v3.x). |
| Impact | Memory exhaustion leading to denial-of-service (DoS) |
| Exploit Prerequisites | 1. Payload with Content-Type: application/json2. At least one active rule using sanitiseMatchedBytes or sanitiseMatched actions. |
| CVSS 3.1 Score | 7.5 (High) |
Mitigations
The ModSecurity development team has addressed this vulnerability by releasing version 2.9.9, which includes a comprehensive fix for CVE-2025-47947.
The updated version is available through the official GitHub repository and should be deployed immediately across affected installations.
Security experts emphasize that this vulnerability affects “probably all 2.x versions” of mod_security2, making widespread patching critical.
For organizations unable to immediately upgrade, limited mitigation options exist. Administrators can disable rules containing the sanitiseMatchedBytes action, though this may reduce security monitoring capabilities.
Alternatively, disabling the audit engine prevents the vulnerability from triggering, but this significantly impacts traffic visibility and logging functionality.
The ModSecurity project acknowledges that during its investigation, it “found some unexpected behavior” and is working to improve the sanitization mechanism.
Future developments may include implementing enhanced sanitization features in libmodsecurity3, providing a more robust foundation for web application security.
Organizations running ModSecurity installations should prioritize immediate patching to prevent potential exploitation of this severe denial-of-service vulnerability.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
