Description

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

INFO

Published Date :

2025-07-02T15:03:34.068Z

Last Modified :

2025-07-02T15:27:34.504Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-52891 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-52891.

URL Resource
https://github.com/owasp-modsecurity/ModSecurity/commit/ecd7b9736836eee391d25f35d5bd06a3ce35a45d cve-icon cve-icon cve-icon
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-gw9c-4wfm-vj3x cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-52891 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-52891 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact