A newly discovered vulnerability in ModSecurity, a popular open-source web application firewall (WAF), could leave countless web applications vulnerable to attack. The vulnerability, tracked as CVE-2025-27110 and assigned a CVSSv4 score of 7.9, affects libmodsecurity3 version 3.0.13 and allows attackers to bypass security rules by encoding malicious payloads with leading zeroes in HTML entities.
“Libmodsecurity3 can’t decode encoded HTML entities if they contains leading zeroes,” the security advisory explains. This flaw prevents ModSecurity from properly inspecting incoming web traffic, potentially allowing malicious code to slip through undetected.
ModSecurity is widely used across the internet to protect web applications from various attacks, including cross-site scripting (XSS), SQL injection, and remote code execution. The vulnerability in libmodsecurity3 could allow attackers to exploit these vulnerabilities by obfuscating their attacks using encoded HTML entities with leading zeroes.
The maintainers of ModSecurity have addressed this vulnerability in version 3.0.14 of libmodsecurity3. All users of ModSecurity are urged to update to the latest version immediately. Unfortunately, there are no known workarounds for this vulnerability.
Organizations that rely on ModSecurity for web application security should prioritize updating to the latest version to ensure their applications are protected from this vulnerability.
Related Posts:
- ModSecurity Backdoor: PoC of malicious software running inside of ModSecurity WAF
- CVE-2024-1019: Exposing ModSecurity’s Critical WAF Bypass Flaw
