CVE-2025-52891

Public on 2025-07-02
Modified on 2025-07-02
Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 mod_security Not Affected
Amazon Linux 2 - Core mod_security Pending Fix
Amazon Linux 2023 mod_security Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
NVD CVSSv3 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2025-52891 Mitre: CVE-2025-52891