Segmentation Fault Vulnerability in ModSecurity Web Application Firewall by OWASP
CVE-2025-52891

6.5MEDIUM

Key Information:

Vendor

Owasp-modsecurity

Status
Modsecurity
Vendor
CVE Published:
2 July 2025

What is CVE-2025-52891?

ModSecurity, an open source web application firewall engine used across Apache, IIS, and Nginx servers, is susceptible to a specific issue in XML processing. In versions 2.9.8 up to, but not including, 2.9.11, an empty XML tag in requests labeled as application/xml can trigger a segmentation fault. This occurs when the SecParseXmlIntoArgs option is enabled and at least one XML tag is empty (e.g., ). The problem has been resolved in ModSecurity version 2.9.11. Users are encouraged to upgrade to this version or implement a workaround by disabling SecParseXmlIntoArgs.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ModSecurity >= 2.9.8, < 2.9.11

References

https://github.com/owasp-modsecurity/ModSecurity/security...
x_refsource_CONFIRM
https://github.com/owasp-modsecurity/ModSecurity/commit/e...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.