CVE-2009-1902

Exp

The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.

Published: 2009-06-03 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-1902 is rated High Exploit Risk (67.8/100): CVSS Medium severity, with high exploitation likelihood (EPSS 13.73%, 96th percentile). 4 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2009-1902

EDB-ID Source Kind Published Link
8241 exploit_db edb 2009-03-19 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2009-1902

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 14.55% 13.73% -0.81%
2 2026-06-03 14.63% 14.55% -0.08%
3 2026-04-12 14.63%

Full EPSS history (16 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-1902

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 2.9 [email protected]

Weakness enumeration for CVE-2009-1902

OS Trackers for CVE-2009-1902

vendor priority summary link
gentoo normal CVE-2009-1902: 1 GLSA(s) (200907-02), 1 atom(s) (www-apache/mod_security); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-1902
ubuntu medium CVE-2009-1902 medium priority: Ubuntu including 1 source packages (libapache-mod-security), 8 status rows across 8 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, upstream): not-affected 4, DNE 2, ignored 1, released 1. https://ubuntu.com/security/CVE-2009-1902

Affected software / configurations for CVE-2009-1902

Vendor Product Version Raw CPE
trustwave modsecurity < 2.5.9 cpe:2.3:a:trustwave:modsecurity:*:*:*:*:*:*:*:*
fedoraproject fedora 9 cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
fedoraproject fedora 10 cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*

References for CVE-2009-1902

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html Not Applicable
http://secunia.com/advisories/34256 Third Party Advisory
http://secunia.com/advisories/34311 Third Party Advisory
http://secunia.com/advisories/35687 Third Party Advisory
http://security.gentoo.org/glsa/glsa-200907-02.xml Third Party Advisory
http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846 Third Party Advisory
http://www.osvdb.org/52553 Broken Link
http://www.securityfocus.com/archive/1/501968 Exploit Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/34096 Exploit Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2009/0703 Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/49212 Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/8241 Exploit Third Party Advisory VDB Entry
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00487.html Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00529.html Third Party Advisory
cvelogic Threat Intelligence