Libmodsecurity3 3.0.13 HTML Entity Zero-Padding Decode Failure CVE-2025-27110
CVE-2025-27110 Published on February 25, 2025
Libmodsecurity3 has possible bypass of encoded HTML entities
Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.
Weakness Type
Encoding Error
The software does not properly encode or decode the data, resulting in unexpected values.
Products Associated with CVE-2025-27110
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-27110 are published in Trustwave Modsecurity:
Affected Versions
owasp-modsecurity ModSecurity Version = 3.0.13 is affected by CVE-2025-27110Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.