Max Leske

**Name of the Vulnerable Software and Affected Versions** ModSecurity / libModSecurity versions 3.0.0 through 3.0.11 **Description** The issue is related to a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component, resulting in an impedance mismatch versus RFC compliant back-end applications. This hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. **Recommendations** For ModSecurity / libModSecurity versions 3.0.0 through 3.0.11, upgrade to version 3.0.12 to resolve the issue. As a temporary workaround, consider restricting the use of percent-encoded characters in request URLs to minimize the risk of exploitation. Additionally, review and adjust WAF rules to ensure they properly inspect the URL path component.