Primary

Context

Libmodsecurity3 HTML Entity Decoding Vulnerability in Version 3.0.13

Vulnerability

A decoding vulnerability has been identified in Libmodsecurity3 version 3.0.13, where the library fails to properly decode HTML entities that contain leading zeroes. This issue allows encoded payloads to bypass inspection. The vulnerability has been addressed in version 3.0.14, but no known workarounds are available.

Impact

Exploiting this vulnerability allows encoded HTML entities to be bypassed without inspection, potentially leading to other vulnerabilities being exploited.

Reproduction

The vulnerability can be reproduced by running the Core Rule Set (CRS) test '944150-23' with Libmodsecurity3 version 3.0.13 and the Nginx connector. This test will trigger the improper decoding of HTML entities with leading zeroes, demonstrating the vulnerability.

Remediation

Users can upgrade to Libmodsecurity3 version 3.0.14, which includes the necessary fix.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Libmodsecurity3 HTML Entity Decoding Vulnerability in Version 3.0.13

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating