Amazon Linux 2 Security Advisory: ALAS2-2025-2887
Advisory Released Date: 2025-06-12
Advisory Updated Date: 2025-06-12
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available. (CVE-2025-47947)
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action. (CVE-2025-48866)
Affected Packages:
mod_security
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update mod_security to update your system.
aarch64:
mod_security-2.9.10-1.amzn2.0.1.aarch64
mod_security-mlogc-2.9.10-1.amzn2.0.1.aarch64
mod_security-debuginfo-2.9.10-1.amzn2.0.1.aarch64
i686:
mod_security-2.9.10-1.amzn2.0.1.i686
mod_security-mlogc-2.9.10-1.amzn2.0.1.i686
mod_security-debuginfo-2.9.10-1.amzn2.0.1.i686
src:
mod_security-2.9.10-1.amzn2.0.1.src
x86_64:
mod_security-2.9.10-1.amzn2.0.1.x86_64
mod_security-mlogc-2.9.10-1.amzn2.0.1.x86_64
mod_security-debuginfo-2.9.10-1.amzn2.0.1.x86_64