CVE-2025-52891

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions: ModSecurity versions 2.9.8 through 2.9.10

Description: The issue occurs when an empty XML tag is encountered, causing a segmentation fault. This happens if SecParseXmlIntoArgs is set to On or OnlyArgs, the request type is application/xml, and at least one XML tag is empty.

Recommendations: For versions 2.9.8 through 2.9.10, update to version 2.9.11 to resolve the issue. As a temporary workaround for versions 2.9.8 through 2.9.10, consider setting SecParseXmlIntoArgs to Off.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2026-00351

BIT-MODSECURITY-2025-52891

BIT-MODSECURITY2-2025-52891

CVE-2025-52891

GHSA-GW9C-4WFM-VJ3X

OESA-2025-1750

OESA-2025-1751

OESA-2025-1752

OESA-2025-1753

OESA-2025-1754

OESA-2025-1755

OPENSUSE-SU-2025:15313-1

Affected Products

Modsecurity

CVE-2025-52891

Weakness Enumeration

Related Identifiers

Affected Products

References · 34