Critical ModSecurity WAF Vulnerability Enables DoS Attack via Empty XML Tags

A newly disclosed security vulnerability in ModSecurity, one of the most widely deployed web application firewalls, could allow attackers to crash protected web applications through carefully crafted XML requests containing empty tags.

The vulnerability, tracked as GHSA-gw9c-4wfm-vj3x, affects mod_security2 versions 2.9.8 and later when specific XML parsing features are enabled, potentially exposing organizations to denial-of-service attacks that could disrupt critical web services and applications.

The security vulnerability stems from improper handling of XML parsing within ModSecurity’s SecParseXmlIntoArgs feature, which is designed to extract and analyze XML data from incoming HTTP requests for security inspection.

When this feature is configured to “On” or “OnlyArgs” mode, the web application firewall attempts to parse XML content from requests with the “application/xml” content type.

However, the parsing mechanism contains a critical vulnerability that triggers a segmentation fault when processing XML documents containing empty tags such as <foo></foo>.

The segmentation fault represents a serious memory access violation that immediately terminates the affected process, effectively taking down the protected web application or service.

This type of vulnerability is particularly concerning because it can be exploited remotely by sending malicious XML payloads to any web application protected by an affected ModSecurity deployment.

The simplicity of the attack vector—requiring only empty XML tags in a properly formatted request—makes this vulnerability relatively easy to exploit for attackers seeking to disrupt services.

ModSecurity WAF Vulnerability

The vulnerability impacts mod_security2 installations running versions 2.9.8 through 2.9.10, with version 2.9.11 containing the necessary security patches.

However, organizations should note that the vulnerability only manifests under specific configuration conditions, which may limit its practical impact in many deployments.

Key vulnerability conditions:

• Affected versions: mod_security2 versions 2.9.8 through 2.9.10.
• Patched version: Version 2.9.11 contains comprehensive security fixes.
• Configuration requirement: SecParseXmlIntoArgs directive must be set to “On” or “OnlyArgs”.
• Default setting: SecParseXmlIntoArgs is set to “Off” by default, limiting immediate exposure.
• At-risk deployments: Organizations that have explicitly enabled XML parsing capabilities for security policies.

Most vulnerable environments:

• Web applications with XML-based APIs requiring content inspection.
• Services processing XML data formats through ModSecurity.
• Organizations implementing comprehensive XML content security monitoring.
• Deployments where administrators have specifically enabled XML parsing features.

This default configuration means that many ModSecurity deployments may not be immediately vulnerable unless administrators have specifically enabled XML parsing capabilities for their security policies.

Organizations that have implemented comprehensive XML content inspection, particularly those handling XML-based APIs, web services, or applications that process XML data formats, are most likely to have enabled this feature and should prioritize assessment of their configurations.

Mitigations

According to Report, the most immediate and effective mitigation for this vulnerability is to disable the SecParseXmlIntoArgs feature by setting it to “Off” in ModSecurity configuration files.

This workaround eliminates the attack vector entirely while maintaining the web application firewall’s other protective capabilities.

Organizations can implement this change immediately without waiting for patch deployment, providing rapid protection against potential exploitation attempts.

For long-term security, administrators should upgrade to mod_security2 version 2.9.11, which includes comprehensive fixes for the XML parsing vulnerability.

The patched version maintains full XML processing functionality while eliminating the segmentation fault condition that enables the denial-of-service attacks.

Organizations should also review their ModSecurity configurations to ensure that XML parsing features are only enabled when necessary for legitimate security monitoring requirements, following the principle of minimal necessary functionality to reduce potential attack surfaces.