CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27110: Libmodsecurity3 has possible bypass of encoded HTML entities

7.9 CVSS

Description

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.

Classification

CVE ID: CVE-2025-27110

CVSS Base Severity: HIGH

CVSS Base Score: 7.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Problem Types

CWE-172: Encoding Error

Affected Products

Vendor: owasp-modsecurity

Product: ModSecurity

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 8.07% (scored less or equal to compared to others)

EPSS Date: 2025-03-26 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27110
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-42w7-rmv5-4x2j
https://github.com/owasp-modsecurity/ModSecurity/issues/3340

Timeline