Amazon Linux 2023 Security Advisory: ALAS2023-2025-1026
Advisory Released Date: 2025-06-23
Advisory Updated Date: 2025-06-23
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available. (CVE-2025-47947)
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action. (CVE-2025-48866)
Affected Packages:
mod_security
Issue Correction:
Run dnf update mod_security --releasever 2023.7.20250623 to update your system.
aarch64:
mod_security-debugsource-2.9.10-1.amzn2023.0.1.aarch64
mod_security-mlogc-2.9.10-1.amzn2023.0.1.aarch64
mod_security-debuginfo-2.9.10-1.amzn2023.0.1.aarch64
mod_security-mlogc-debuginfo-2.9.10-1.amzn2023.0.1.aarch64
mod_security-2.9.10-1.amzn2023.0.1.aarch64
src:
mod_security-2.9.10-1.amzn2023.0.1.src
x86_64:
mod_security-debuginfo-2.9.10-1.amzn2023.0.1.x86_64
mod_security-debugsource-2.9.10-1.amzn2023.0.1.x86_64
mod_security-mlogc-debuginfo-2.9.10-1.amzn2023.0.1.x86_64
mod_security-mlogc-2.9.10-1.amzn2023.0.1.x86_64
mod_security-2.9.10-1.amzn2023.0.1.x86_64