CVE-2025-27110 — HIGH (7.5)

Vulnerability Description

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Trustwave	Modsecurity	3.0.13

Related Weaknesses (CWE)

CWE-172

References

https://github.com/owasp-modsecurity/ModSecurity/issues/3340ExploitIssue Tracking
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-42w7-rVendor Advisory

FAQ

What is CVE-2025-27110?

CVE-2025-27110 is a vulnerability with a CVSS score of 7.5 (HIGH). Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processi...

How severe is CVE-2025-27110?

CVE-2025-27110 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-27110?

Check the references section above for vendor advisories and patch information. Affected products include: Trustwave Modsecurity.