CVE-2025-47947 is a high-severity vulnerability affecting ModSecurity, an open-source, cross-platform web application firewall (WAF) engine widely used with Apache, IIS, and Nginx web servers. The vulnerability is classified under CWE-1050, which pertains to excessive platform resource consumption within a loop, leading to denial of service (DoS). Specifically, versions of ModSecurity up to and including 2.9.8 are vulnerable when processing HTTP requests with the content type 'application/json' if at least one active rule uses the 'sanitiseMatchedBytes' action. This action triggers a loop that consumes excessive CPU and memory resources, potentially exhausting system resources and causing the WAF or the underlying web server to become unresponsive or crash. The vulnerability does not require any authentication or user interaction and can be exploited remotely by sending specially crafted HTTP requests. A patch addressing this issue has been merged (pull request 3389) and is expected to be included in version 2.9.9. No known workarounds are currently available, and there are no reports of active exploitation in the wild as of the publication date. The CVSS v3.1 base score is 7.5, reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability without affecting confidentiality or integrity.

For European organizations, this vulnerability poses a significant risk to the availability of web applications protected by ModSecurity versions 2.9.8 or earlier. Since ModSecurity is commonly deployed as a WAF in many enterprise and public sector environments across Europe, exploitation could lead to denial of service conditions, disrupting critical web services and potentially causing downtime for customer-facing portals, internal applications, or APIs. This disruption could affect sectors such as finance, healthcare, government, and e-commerce, where availability is crucial. Additionally, the DoS condition could be leveraged as part of a broader attack strategy, such as distracting security teams or creating windows for other attacks. The lack of authentication or user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation attempts. Given the widespread use of Apache, IIS, and Nginx in Europe, and the popularity of ModSecurity as a WAF solution, the impact could be broad, affecting organizations of various sizes and industries.

European organizations should prioritize upgrading ModSecurity to version 2.9.9 or later as soon as it becomes available to apply the official patch. Until the patch is deployed, organizations should audit their ModSecurity deployments to identify if any active rules use the 'sanitiseMatchedBytes' action, especially in contexts processing 'application/json' payloads. If feasible, temporarily disabling or modifying such rules to avoid triggering the vulnerable code path can reduce risk. Network-level protections such as rate limiting and web traffic filtering can help mitigate the risk of exploitation by limiting the volume of malicious requests. Monitoring for unusual spikes in CPU or memory usage on servers running ModSecurity can provide early indicators of attempted exploitation. Additionally, organizations should ensure that their incident response and business continuity plans account for potential DoS scenarios affecting web services. Finally, maintaining up-to-date inventories of ModSecurity versions and configurations across all web-facing assets will facilitate rapid response and patch management.