Very large input data may cause Apache's mod_sed filter to abort, resulting in a denial of service
Apache (, 2.4.53], fixed in 2.4.54
The Apache HTTP Server is the most popular web server in the world. One of its main features is the possibility to use filter modules for various purposes.
One such module,
mod_sed, provides the webmaster the same possibilities offered by GNU's stream editor, sed. This module can be installed as an InputFilter or as an OutputFilter if someone wishes to edit requests or responses before they're processed by the server, or before being sent back to the client.
A bug found in
mod_sed's buffer manipulation logic may cause to the abort of the process handling the HTTP request. This occurs when the
mod_sed module is required to to handle inputs larger than 2GB of data.
An Apache deployment is vulnerable to remote exploitation if -
The server enables
LoadModule sed_module /usr/lib/apache2/modules/mod_sed.so
The server configures
mod_sedto perform any kind of processing on incoming requests, by using
AddInputFilter. For example -
<Directory /> AllowOverride none Require all denied AddInputFilter Sed html InputSed "s/\(.)/Z/g" </Directory>
(note that the vulnerability can be triggered for any
python -c 'print("A")*(2*2**30)' | curl -X POST -d@- http://host
LimitRequestBody configuration directive can be used to limit POST requests' sizes. We recommend setting the limit to 1GB of data or less in