CVE-2021-42717

Name of the Vulnerable Software and Affected Versions ModSecurity versions 2.8.0 through 2.9.4 ModSecurity versions 3.0.0 through 3.0.5

Description The issue is related to the mishandling of excessively nested JSON objects, which can cause the web server to be unable to service legitimate requests. Crafted JSON objects with tens-of-thousands deep nesting can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Even moderately large HTTP requests, such as 300KB, can have this effect. This can be exploited by a remote attacker to perform a denial of service.

Recommendations For ModSecurity versions 2.8.0 through 2.9.4, consider disabling the handling of nested JSON objects until a patch is available. For ModSecurity versions 3.0.0 through 3.0.5, consider disabling the handling of nested JSON objects until a patch is available. As a temporary workaround, consider restricting the size of HTTP requests to minimize the risk of exploitation.