SB2026070343 - Multiple vulnerabilities in OWASP ModSecurity Core Rule Set (CRS)
Published: July 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Inefficient regular expression complexity (CVE-ID: N/A)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service and bypass detection of malicious payloads.
The vulnerability exists due to inefficient regular expression complexity in the unix-shell-evasion regex assembly include and REQUEST-932-APPLICATION-ATTACK-RCE rules when processing a crafted request containing a long whitespace run. A remote attacker can send a specially crafted request to cause a denial of service and bypass detection of malicious payloads.
The issue is triggered when PCRE2 exceeds its backtracking limit, causing the affected rule evaluation to return an error instead of a match result. Coraza deployments using RE2 are not affected.
2) Improper Neutralization of Special Elements (CVE-ID: N/A)
CWE-ID: CWE-138 - Improper Neutralization of Special Elements
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass detection of malicious payloads in XML attribute values.
The vulnerability exists due to improper neutralization of special elements in XML request body inspection rules when processing XML request bodies. A remote attacker can place an attack payload inside an XML attribute to bypass detection of malicious payloads in XML attribute values.
The issue affects rule families 921, 930, 931, 932, 933, 934, 941, 942, and 943 at every paranoia level, while the 944 Java family is unaffected.
Remediation
Install update from vendor's website.
References
- https://github.com/coreruleset/coreruleset/security/advisories/GHSA-f5qm-3h4p-8qhg
- https://github.com/coreruleset/coreruleset/commit/e3b612a909532dcc8d056c01ac04b31117b71505
- https://github.com/coreruleset/coreruleset/security/advisories/GHSA-6jp8-c2w2-x7wr
- https://github.com/coreruleset/coreruleset/commit/275d7616f1ceb6f1024c3bfbeb1f4ae2ae9ad010