Inefficient regular expression complexity in OWASP ModSecurity Core Rule Set (CRS) - #VU136862

 

Inefficient regular expression complexity in OWASP ModSecurity Core Rule Set (CRS) - #VU136862

Published: July 3, 2026


Vulnerability identifier: #VU136862
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-1333
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OWASP
Affected software:
OWASP ModSecurity Core Rule Set (CRS)

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service and bypass detection of malicious payloads.

The vulnerability exists due to inefficient regular expression complexity in the unix-shell-evasion regex assembly include and REQUEST-932-APPLICATION-ATTACK-RCE rules when processing a crafted request containing a long whitespace run. A remote attacker can send a specially crafted request to cause a denial of service and bypass detection of malicious payloads.

The issue is triggered when PCRE2 exceeds its backtracking limit, causing the affected rule evaluation to return an error instead of a match result. Coraza deployments using RE2 are not affected.


Remediation

Install security update from vendor's website.

Sources