Critical ModSecurity WAF Vulnerability Allows Denial of Service via Empty XML Tags

A newly discovered denial-of-service vulnerability in the ModSecurity Web Application Firewall (WAF) engine has security experts on high alert.

The flaw, designated CVE-2025-52891, affects specific versions of mod_security2 and can be triggered by processing XML requests containing empty tags, potentially causing complete service disruption.

The vulnerability impacts mod_security2 versions 2.9.8, 2.9.9, and 2.9.10, but only when administrators have enabled the SecParseXmlIntoArgs feature.

This relatively new functionality, which parses XML nodes into ARGS and node paths into ARGS_NAMES for enhanced security monitoring, becomes a liability when processing malformed XML content.

ModSecurity is widely recognized as the “Swiss Army Knife” of WAFs and serves as the standard open-source web application firewall engine used by businesses, government organizations, internet service providers, and commercial WAF vendors worldwide.

Initially designed for Apache HTTP Server, it has evolved to support multiple platforms, including Microsoft IIS and Nginx.

The vulnerability stems from improper handling of empty XML tags during the parsing process. When SecParseXmlIntoArgs is set to “On” or “OnlyArgs” and the system receives XML content with Content-Type “application/xml” containing at least one empty tag (such as ), a segmentation fault occurs.

The root cause lies in ModSecurity’s use of the strlen() function to compute the length of XML node values. When processing empty nodes, strlen() is applied to a null value, triggering the crash.

This represents a classic null pointer dereference vulnerability, where the program attempts to access memory that hasn’t been allocated or has been deallocated.

Impact and Exploitation

Security researchers rate this vulnerability with a moderate CVSS score of 6.5/10, primarily due to the specific configuration requirements needed for exploitation. However, the impact can be severe for affected systems:

• Complete service disruption through denial of service attacks
• Server crashes requiring manual restart
• No authentication required for exploitation
• Remote attack vector enabling attacks from anywhere on the internet

The vulnerability affects only mod_security2 installations and does not impact libmodsecurity3, which is implemented in C++ and doesn’t use the problematic strlen() function. This architectural difference highlights the importance of secure coding practices across different programming languages.

The vulnerability was discovered and reported by Andrew Howe (@RedXanadu), a cybersecurity expert based in Melbourne, Australia. Howe is well-known in the security community for his open-source security research and contributions to penetration testing methodologies.

His work has been featured in security textbooks, academic papers, and professional methodologies, including the OWASP Testing Guide.

Mitigation Strategies

System administrators have several options to protect their installations:

• Immediate Workaround: Set SecParseXmlIntoArgs to “Off” in the ModSecurity configuration. Since this is the default setting, many installations may already be protected.
• Long-term Solution: Apply the forthcoming security patch when it becomes available. The OWASP ModSecurity team has acknowledged the vulnerability and indicated that a patch is in development.
• Configuration Review: Audit current ModSecurity configurations to identify systems using the SecParseXmlIntoArgs feature and assess the necessity of this functionality for specific use cases.

This vulnerability represents the latest in a series of security issues affecting ModSecurity installations. Earlier in 2025, the platform faced other significant vulnerabilities, including CVE-2025-48866, a high-severity denial of service flaw related to the “sanitiseArg” action that could be exploited by submitting excessive numbers of arguments.

The discovery of CVE-2025-52891 underscores the ongoing security challenges facing web application firewalls, which serve as critical first lines of defense against web-based attacks. As these systems process increasingly complex and diverse web traffic, including XML payloads, the attack surface continues to expand.

The OWASP ModSecurity project, which transitioned from Trustwave to OWASP custody in early 2024, has been actively addressing security issues and implementing improvements to the platform. The organization has established new development processes and community engagement initiatives to foster continued security enhancements.

Security experts recommend that organizations running ModSecurity conduct immediate assessments of their configurations and implement appropriate mitigation measures. The relatively narrow attack vector requiring specific configuration settings may limit widespread exploitation, but affected systems remain vulnerable until properly patched or reconfigured.

This incident serves as a reminder that even security-focused applications like web application firewalls require ongoing vigilance and prompt patching to maintain their protective capabilities against evolving threats.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now