Studersi

**Name of the Vulnerable Software and Affected Versions** ModSecurity versions up to and including 2.9.8 **Description** ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. The issue arises when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action, leading to a denial of service. **Recommendations** For versions up to and including 2.9.8, update to version 2.9.9, which is expected to include the patch available at pull request 3389. As a temporary workaround, consider disabling rules that perform the `sanitiseMatchedBytes` action when the payload's content type is `application/json` until a patch is available.