A vulnerability in ModSecurity causes web applications to be attacked

A notable security flaw has been discovered in ModSecurity, the open – source Web Application Firewall (WAF) which is widely used globally. The vulnerability carries the identifier CVE-2025-27110 and could expose many web applications, despite implementing WAF, to the risk of attack without knowing it. Because ModSecurity is often deployed as the first line of defense for websites and online systems, this vulnerability is judged to have a large sphere of influence.

ModSecurity is designed to protect web applications from common forms of attack such as cross-site scripting (XSS), SQL injection, and remote code execution (RCE). However, the vulnerability was found in libmodsecurity3, the core library responsible for analyzing and processing HTTP traffic. Specifically, CVE – 2025-27110 affected libmodsecurity3 version 3.0.13 and was evaluated with a CVSSv4 score of 7.9, indicating high severity.

The reason for the vulnerability lies in the way libmodsecurity3 handles encrypted HTML entities. In some cases, when the HTML entities contain the leading zeros, the library is unable to decode the contents accurately. The attacker can exploit this weakness to encrypt malicious payloads in a way that ModSecurity cannot identify, thus overcoming existing security rules. Then, malicious traffic is still allowed to pass through the WAF and directly access the web application behind it.

The consequences of passing this test mechanism are serious. Attacks such as XSS or SQL injection can be sophisticatedly concealed, leading administrators to believe that the system is being safely protected while in fact malicious payloads have successfully infiltrated. This is especially dangerous for organizations that rely heavily on ModSecurity without an additional layer of monitoring or testing.

In response to the threat, the ModSecurity development team quickly released libmodsecurity3 version 3.0.14 to fix an HTML instance processing error. The patch focused on improving the decryption mechanism, ensuring that HTML entities, even those containing the leading zero, were fully parsed before applying security rules.

Network security experts recommend that all ModSecurity users update to the latest version immediately to eliminate the risk of exploitation. At the same time, administrators should review WAF rules, monitor irregular access logs, and incorporate additional security measures to minimize risk. Maintaining regular updates is key to ensuring ModSecurity continues to be effective in protecting web applications from increasingly sophisticated attack techniques.