ModSecurity Denial-of-Service Vulnerability in `sanitiseArg` Action

A denial-of-service vulnerability has been identified in ModSecurity versions prior to 2.9.10. The issue arises in the `sanitiseArg` action, which can be exploited by sending a large number of arguments, leading to excessive memory consumption. This vulnerability is particularly problematic when the request payload is `application/json`, as the JSON processor can generate a high volume of arguments that are then repeatedly added to a list for sanitization. After a few such requests, the server may run out of memory, causing an error.

Impact

Exploitation of this vulnerability can lead to high memory usage, causing the server to run out of memory and potentially crash.

Reproduction

To reproduce this vulnerability, create a JSON payload with a large number of items (e.g., 1000) and send it in a POST request to a server with ModSecurity enabled. Ensure that the request is processed by a rule that uses the `sanitiseMatchedBytes` action, as this will trigger the vulnerability. Monitor the server's memory usage to observe the impact.

Remediation

Users can upgrade to ModSecurity version 2.9.10 or later, where this vulnerability has been patched. If an upgrade is not possible, avoid using rules that include the `sanitiseArg` action.