v2.9.9

Changes in v2.9.9:

There is a DoS vulnerability in previous versions, see CVE 2025-47947. This release includes a fix for it.

• fix: DoS vulnerability
  [PR from private repo - @theseion, @fzipi, @airween; fixed CVE-2025-47947]
• chore: log error codes for global mutex failure modes.
  [Issue #3387 - @airween]
• chore: refactor build system to use PCRE2
  [Issue #3383 - @airween]
• feat: add 'make test' to v2's workflow
  [Issue #3379 - @airween]
• fix: 'make test' is able to run again
  [Issue #3378 - @airween]
• fix: add PCRE2 capability to standalone module
  [Issue #3377 - @airween]
• chore: remove unnecessary @LIBXML2_CFLAGS@ from linker flags
  [Issue #3376 - @airween]
• fix: add msc_fullinfo() to check JIT compilation
  [Issue #3375 - @airween]
• Fix error logging for standalone module
  [Issue #3374 - @RedXanadu]
• Fix compiler warnings from GCC
  [Issue #3372 - @notroj]
• feat: improved XMLArgs processing
  [Issue #3358 - @airween]
• Incorrect utf8toUnicode transformation for 00xx
  [Issue #3284 - @marcstern]
• Fixed PCRE2 error message
  [Issue #3279 - @marcstern]
• make rootpath and incpath consts for apr_filepath_root
  [Issue #3270 - @Marcool04]
• Fix apr_global_mutex_create() usage
  [Issue #3269 - @marcstern]
• chore: add 'log' action to rule 200005 (v2/master)
  [Issue #3267 - @airween]
• Move id_log() to msc_util to fix unit tests; it is declared on msc_ut…
  [Issue #3265 - @rainerjung]
• Missing #include <time.h>
  [Issue #3262 - @marcstern]
• Fixed apr_global_mutex_create() usage (no filename)
  [PR #3269 - @marcstern]
• handle errors from apr_global_mutex_lock
  [PR #3257 - @marcstern]

Special thanks to @theseion and @fzipi for their big help, and all other participants.

v3.0.14

Major changes in v3:

• changed t:htmlEntityDecode transformation; fixed CVE-2025-27110
• add value checking to @validateByteRange operator
• fixed build library on OSX without GeoIP brew package
• aligned TIME_MON variable's behavior
• Leverage std::make_unique & std::make_shared to create objects in the heap
• Simplified handling of RuleMessage by removing usage of std::shared_ptr
• Simplified constructors, copy constructors & assignment operators

For more information please see CHANGES.

v3.0.13

Major changes in v3:

• added Windows port
• improved CI workflow
• removed unnecessary string copy operations, improved engine speed - several PR's
• fixed a bug in @pm operator
• extended the C/C++ API

For more information please see CHANGES.

v2.9.8

Major changes in v2:

• added a CI workflow
• changed error log format
• added a new MULTIPART HEADER check
• fixed many potential memory leaks and other potential memory handling problems

For more information please see CHANGES.

v3.0.12

Security impacting issue

• Change REQUEST_FILENAME and REQUEST_BASENAME behavior
  [Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween]
  WAF bypass of the ModSecurity v3 release line for path-based payloads by submitting a specially crafted request URL. For details, see CVE 2024-1019.

Enhancements and bug fixes

• Set the minimum security protocol version (TLSv1.2) for SecRemoteRules
  [Issue security/code-scanning/2 - @airween]

v3.0.11

Security impacting issue

• Add WRDE_NOCMD to wordexp call
  [Issue #3024 - @sahruldotid, @martinhsv ]
  Note: Although this issue ostensibly allows for specially-crafted SecRule content to execute OS command-line commands when the rules are loaded, this is unlikely to be a serious issue in most deployments. A malicious actor who has access to modify the ModSecurity configuration of an installation can cause severe effects in a multitude of other ways.

New feature

• Add support for expirevar action
  [Issue #1803, #3001 - @martinhsv]

Enhancements and bug fixes

• Fix: validateDTD compile fails if libxml2 not installed
  [Issue #3014 - @zangobot, @martinhsv]
• Fix memory leak of validateDTD's dtd object
  [Issue #3008 - @martinhsv, @zimmerle ]
• Fix memory leaks in ValidateSchema
  [Issue #3005 - @martinhsv, @zimmerle]
• Fix: lmdb regex match on non-null terminated string
  [Issue #2985 - @martinhsv]
• Fix memory leaks in lmdb code (new'd strings)
  [Issue #2983 - @martinhsv]
• Configure: add additional name to pcre2 pkg-config list
  [Issue #2939 - @agebhar1, @fzipi, @martinhsv]

v3.0.10

Security impacting issue

• Fix: worst-case time in implementation of four transformations
  [Issue #2934 - @martinhsv]
  Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/

Enhancements and bug fixes

• Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
  [Issue #2901 - @airween]
• Make MULTIPART_PART_HEADERS accessible to lua
  [Issue #2916 - @martinhsv]
• Fix: Lua scripts cannot read whole collection at once
  [Issue #2900 - @udi-aharon, @airween, @martinhsv]
• Fix: quoted Include config with wildcard
  [Issue #2905 - @wiseelf, @airween, @martinhsv]
• Support isolated PCRE match limits
  [Issue #2736 - @brandonpayton, @martinhsv]
• Fix: meta actions not applied if multiMatch in first rule of chain
  [Issue #2867, #2868 - @mlevogiannis, @martinhsv]
• Fix: audit log may omit tags when multiMatch
  [Issue #2866 - @mlevogiannis]
• Exclude CRLF from MULTIPART_PART_HEADER value
  [Issue #2870 - @airween, @martinhsv]
• Configure: use AS_ECHO_N instead echo -n
  [Issue #2894 - @liudongmiao, @martinhsv]
• Adjust position of memset from 2890
  [Issue #2891 -@mirkodziadzka-avi, @martinhsv]

v3.0.9

Security issue

• Add some member variable inits in Transaction class (possible segfault)
  [Issue #2886 - @GNU-Plus-Windows-User, @airween, @mdounin, @martinhsv]

Enhancements and bug fixes

• Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
  [Issue #2877, #2890 - @tomsommer, @martinhsv]
• Resolve memory leak on reload (bison-generated variable)
  [Issue #2876 - @martinhsv]
• Support equals sign in XPath expressions
  [Issue #2328 - @dennus, @martinhsv]
• Encode two special chars in error.log output
  [Issue #2854 - @airween, @martinhsv]
• Add JIT support for PCRE2
  [Issue #2791 - @wfjsw, @airween, @FireBurn, @martinhsv]
• Support comments in ipMatchFromFile file via '#' token
  [Issue #2554 - @tomsommer, @martinhsv]
• Use name package name libmaxminddb with pkg-config
  [Issue #2595, #2596 - @frankvanbever, @ffontaine, @arnout]
• Fix: FILES_TMP_CONTENT collection key should use part name
  [Issue #2831 - @airween]
• Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
  [Issue #2806 - @hughmcmaster]
• During configure, do not check for pcre if pcre2 specified
  [Issue #2750 - @dvershinin, @martinhsv]
• Use pkg-config to find libxml2 first
  [Issue #2714 - @hughmcmaster]
• Fix two rule-reload memory leak issues
  [Issue #2801 - @Abce, @martinhsv]
• Correct whitespace handling for Include directive
  [Issue #2800 - @877509395, @martinhsv]

v2.9.7

Security impacting issues

• Fix: FILES_TMP_CONTENT may sometimes lack complete content
  [Issue #2857 - gieltje, @airween, @dune73, @martinhsv]

New features

• Support configurable limit on number of arguments processed
  [Issue #2844 - @jleproust, @martinhsv]
• Support for PCRE2
  [Issue #2840, #2833, #2737, #2827 - @martinhsv]

Bug fixes and enhancements

• Silence compiler warning about discarded const
  [Issue #2843 - @Steve8291, @martinhsv]
• Use uid for user if apr_uid_name_get() fails
  [Issue #2046 - @arminabf, @marcstern]
• Fix: handle error with SecConnReadStateLimit configuration
  [Issue #2815, #2834 - @marcstern, @martinhsv]]
• Adjustment of previous fix for log messages
  [Issue #2832 - @marcstern, @erkia]
• Mark apache error log messages as from mod_security2
  [Issue #2781 - @erkia]
• Use pkg-config to find libxml2 first
  [Issue #2818 - @hughmcmaster]

v3.0.8

Note: additional information on the release and some of the key changes will be published separately in short order.

New features and security impacting issues

• Adjust parser activation rules in modsecurity.conf-recommended
  [Issue #2796 - @terjanq, @martinhsv]
• Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
  [Issue #2795 - @terjanq, @martinhsv]

Bug fixes

• Prevent LMDB related segfault
  [Issue #2755, #2761 - @dvershinin]
• Fix msc_transaction_cleanup function comment typo
  [Issue #2788 - @lookat23]
• Fix: MULTIPART_INVALID_PART connected to wrong internal variable
  [Issue #2785 - @martinhsv]
• Restore Unique_id to include random portion after timestamp
  [Issue #2752, #2758 - @datkps11, @martinhsv]