Bug 2367903 (CVE-2025-47947) - CVE-2025-47947 modsecurity: ModSecurity Has Possible DoS Vulnerability
Summary: CVE-2025-47947 modsecurity: ModSecurity Has Possible DoS Vulnerability
Keywords:
Status: NEW
Alias: CVE-2025-47947
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2367907 2367908
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-21 23:01 UTC by OSIDB Bzimport
Modified: 2025-06-11 21:33 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:8605 0 None None None 2025-06-05 16:05:30 UTC
Red Hat Product Errata RHSA-2025:8626 0 None None None 2025-06-09 01:41:02 UTC
Red Hat Product Errata RHSA-2025:8627 0 None None None 2025-06-09 01:43:30 UTC
Red Hat Product Errata RHSA-2025:8674 0 None None None 2025-06-09 13:50:44 UTC
Red Hat Product Errata RHSA-2025:8837 0 None None None 2025-06-11 10:50:15 UTC
Red Hat Product Errata RHSA-2025:8844 0 None None None 2025-06-11 10:48:13 UTC
Red Hat Product Errata RHSA-2025:8917 0 None None None 2025-06-11 16:00:35 UTC
Red Hat Product Errata RHSA-2025:8922 0 None None None 2025-06-11 15:58:53 UTC
Red Hat Product Errata RHSA-2025:8937 0 None None None 2025-06-11 21:33:15 UTC

Description OSIDB Bzimport 2025-05-21 23:01:34 UTC 
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
Comment 2 errata-xmlrpc 2025-06-05 16:05:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:8605 https://access.redhat.com/errata/RHSA-2025:8605
Comment 3 errata-xmlrpc 2025-06-09 01:41:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:8626 https://access.redhat.com/errata/RHSA-2025:8626
Comment 4 errata-xmlrpc 2025-06-09 01:43:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support

Via RHSA-2025:8627 https://access.redhat.com/errata/RHSA-2025:8627
Comment 5 errata-xmlrpc 2025-06-09 13:50:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:8674 https://access.redhat.com/errata/RHSA-2025:8674
Comment 6 errata-xmlrpc 2025-06-11 10:48:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8844 https://access.redhat.com/errata/RHSA-2025:8844
Comment 7 errata-xmlrpc 2025-06-11 10:50:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:8837 https://access.redhat.com/errata/RHSA-2025:8837
Comment 8 errata-xmlrpc 2025-06-11 15:58:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:8922 https://access.redhat.com/errata/RHSA-2025:8922
Comment 9 errata-xmlrpc 2025-06-11 16:00:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:8917 https://access.redhat.com/errata/RHSA-2025:8917
Comment 10 errata-xmlrpc 2025-06-11 21:33:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:8937 https://access.redhat.com/errata/RHSA-2025:8937
Note You need to log in before you can comment on or make changes to this bug.