CVE-2025-47947 Overview
CVE-2025-47947 is a Denial of Service (DoS) vulnerability affecting ModSecurity, an open source, cross-platform web application firewall (WAF) engine for Apache, IIS, and Nginx. The vulnerability occurs when processing JSON payloads under specific rule configurations, potentially allowing remote attackers to disrupt the availability of protected web applications.
Critical Impact
Remote attackers can cause denial of service conditions on web servers protected by vulnerable ModSecurity instances by sending specially crafted JSON payloads, potentially bypassing WAF protection and disrupting service availability.
Affected Products
- Trustwave ModSecurity versions up to and including 2.9.8
- ModSecurity deployments on Apache web servers
- ModSecurity deployments on IIS and Nginx web servers
Discovery Timeline
- 2025-05-21 - CVE-2025-47947 published to NVD
- 2025-06-20 - Last updated in NVD database
Technical Details for CVE-2025-47947
Vulnerability Analysis
This vulnerability is classified under CWE-1050 (Excessive Platform Resource Consumption within a Loop). The flaw manifests when ModSecurity processes HTTP requests with a content type of application/json while at least one active rule utilizes the sanitiseMatchedBytes action. Under these specific conditions, the WAF engine enters a resource-intensive processing state that can be exploited to exhaust system resources and cause a denial of service condition.
The vulnerability requires no authentication or user interaction to exploit, making it particularly dangerous for internet-facing web applications relying on ModSecurity for protection. An attacker can remotely trigger the vulnerable code path by crafting malicious JSON payloads and sending them to any endpoint protected by an affected ModSecurity instance with the requisite rule configuration.
Root Cause
The root cause lies in the interaction between JSON payload processing and the sanitiseMatchedBytes action within ModSecurity's rule engine. When these two conditions are met simultaneously, the processing logic fails to properly manage resource consumption, leading to excessive CPU or memory usage that can overwhelm the system. This represents a flaw in how the WAF handles the sanitization operation specifically for JSON content types.
Attack Vector
The attack vector is network-based and can be executed remotely without any privileges or user interaction. An attacker exploits this vulnerability by:
- Identifying a web application protected by ModSecurity versions 2.9.8 or earlier
- Determining that the ModSecurity configuration includes rules with the sanitiseMatchedBytes action
- Crafting HTTP requests with Content-Type: application/json headers containing payloads designed to trigger the vulnerable code path
- Sending repeated requests to exhaust server resources and cause denial of service
The vulnerability specifically targets the JSON parsing and sanitization workflow, making it a targeted attack against WAF functionality rather than the underlying web application.
Detection Methods for CVE-2025-47947
Indicators of Compromise
- Unusual increase in HTTP requests with Content-Type: application/json headers from single or distributed sources
- Elevated CPU or memory consumption on web servers running ModSecurity
- ModSecurity error logs showing abnormal processing times for JSON payloads
- Service degradation or unresponsiveness of web applications protected by ModSecurity
Detection Strategies
- Monitor web server performance metrics for sudden spikes in resource utilization correlating with JSON request processing
- Implement rate limiting on endpoints that commonly receive JSON payloads
- Analyze ModSecurity audit logs for patterns indicating exploitation attempts against the sanitization functionality
- Deploy network-level monitoring to identify suspicious bursts of JSON-formatted requests
Monitoring Recommendations
- Configure alerting thresholds for ModSecurity processing latency on JSON content types
- Enable detailed logging for rules utilizing the sanitiseMatchedBytes action
- Implement application performance monitoring (APM) to detect service degradation patterns
- Review ModSecurity audit logs regularly for anomalous request patterns
How to Mitigate CVE-2025-47947
Immediate Actions Required
- Audit ModSecurity configurations to identify rules using the sanitiseMatchedBytes action
- Implement network-level rate limiting for JSON payloads as a temporary protective measure
- Monitor systems for signs of active exploitation
- Plan upgrade path to ModSecurity version 2.9.9 when released
Patch Information
A fix has been developed and is available in ModSecurity Pull Request 3389. The patch is expected to be included in ModSecurity version 2.9.9. Organizations should monitor the GitHub Security Advisory GHSA-859r-vvv8-rm8r for release announcements and apply the update as soon as it becomes available.
Workarounds
- No official workarounds are available according to the vendor advisory
- As a temporary measure, consider temporarily disabling rules that use sanitiseMatchedBytes action if operationally feasible
- Implement upstream rate limiting or WAF rules to restrict JSON request volume
- Consider deploying additional DDoS protection layers while awaiting the official patch
# Check ModSecurity version
modsecurity -v
# Search for rules using sanitiseMatchedBytes action
grep -r "sanitiseMatchedBytes" /etc/modsecurity/
# Review active ModSecurity rules for potential impact assessment
cat /var/log/modsec_audit.log | grep "sanitiseMatchedBytes"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
