Segmentation Fault Vulnerability in ModSecurity Web Application Firewall by OWASP
CVE-2025-52891

6.5MEDIUM

Key Information:

Vendor: Owasp-modsecurity
Status: Modsecurity
Vendor: CVE Published:; 2 July 2025

🔔 Create Owasp-modsecurity Vulnerability Alert

What is CVE-2025-52891?

ModSecurity, an open source web application firewall engine used across Apache, IIS, and Nginx servers, is susceptible to a specific issue in XML processing. In versions 2.9.8 up to, but not including, 2.9.11, an empty XML tag in requests labeled as application/xml can trigger a segmentation fault. This occurs when the SecParseXmlIntoArgs option is enabled and at least one XML tag is empty (e.g., ). The problem has been resolved in ModSecurity version 2.9.11. Users are encouraged to upgrade to this version or implement a workaround by disabling SecParseXmlIntoArgs.

Affected Version(s)

ModSecurity >= 2.9.8, < 2.9.11

References

https://github.com/owasp-modsecurity/ModSecurity/security...

x_refsource_CONFIRM

https://github.com/owasp-modsecurity/ModSecurity/commit/e...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 2, 2025
Vulnerability Reserved
Jun 20, 2025