0Md3Vo

**Name of the Vulnerable Software and Affected Versions** OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0 **Description** An issue was discovered that allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with `next#` at the beginning and nested repetition operators in the `/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf` endpoint. **Recommendations** For OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0, as a temporary workaround, consider restricting access to the `/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0 **Description** An issue was discovered that allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with `set error handler#` at the beginning and nested repetition operators in the `/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf` API endpoint. **Recommendations** For OWASP ModSecurity Core Rule Set (CRS) versions through 3.1.0, as a temporary workaround, consider restricting access to the `/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.