A critical vulnerability in ModSecurity’s Apache module has been disclosed, potentially exposing millions of web servers worldwide to denial-of-service attacks.

The flaw, tracked as CVE-2025-47947 and assigned a CVSS score of 7.5, affects the popular open-source web application firewall’s handling of JSON payloads under specific conditions.

Security researchers have confirmed that attackers can exploit this vulnerability with minimal effort, requiring only a single crafted request to consume excessive server memory and potentially crash targeted systems.

ModSecurity DoS Flaw (CVE-2025-47947)
The vulnerability was initially reported in March 2025 by Simon Studer from Netnea on behalf of Swiss Post, though it took several months for developers to successfully reproduce and understand the root cause.

CVE-2025-47947 specifically affects mod_security2, the Apache module version of ModSecurity, while the newer libmodsecurity3 implementation remains unaffected.
The flaw emerges when two specific conditions are met simultaneously: the incoming payload must have a Content-Type of application/json, and there must be at least one active rule utilizing the sanitiseMatchedBytes action.