{"id":"AZL-62229","summary":"CVE-2025-48866 affecting package mod_security 2.9.4-1","details":"ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the  `sanitiseArg` (or `sanitizeArg`) action.","modified":"2026-04-01T05:20:01.735363Z","published":"2025-06-02T16:15:29Z","upstream":["CVE-2025-48866"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48866"}],"affected":[{"package":{"name":"mod_security","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/mod_security"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"2.9.4-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-62229.json"}}],"schema_version":"1.7.5"}