Inefficient regular expression complexity in OWASP ModSecurity Core Rule Set (CRS) - #VU136862
Published: July 3, 2026
OWASP ModSecurity Core Rule Set (CRS)
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service and bypass detection of malicious payloads.
The vulnerability exists due to inefficient regular expression complexity in the unix-shell-evasion regex assembly include and REQUEST-932-APPLICATION-ATTACK-RCE rules when processing a crafted request containing a long whitespace run. A remote attacker can send a specially crafted request to cause a denial of service and bypass detection of malicious payloads.
The issue is triggered when PCRE2 exceeds its backtracking limit, causing the affected rule evaluation to return an error instead of a match result. Coraza deployments using RE2 are not affected.