Skip to main content

html_entity_zero_pad

Function html_entity_zero_pad 

Source
pub fn html_entity_zero_pad(payload: &str, pad: usize, hex: bool) -> String
Expand description

HTML entity encoding with zero-padded numeric reference — every character becomes either &#x{:0>width$X}; (hex form) or &#{:0>width$}; (decimal form). Leading zeros pad the number to pad characters.

CVE-2025-27110 (libmodsecurity3 v3.0.13): the v3.0.13 release regressed entity decoding such that any HTML numeric character reference whose digits include leading zeros — &#0060; for <, &#x003C; for < — bypasses the decode pass entirely. The undecoded entity reaches the WAF’s inspection buffer; pattern-match rules anchored on the literal <, ', ", etc. never fire. libmodsecurity 3.0.14 fixes this. Every WAF deployment still on 3.0.13 — which Snyk’s 2025 State of Open Source Security flagged as a common version-lag profile — is bypassed by routing the payload through this single encoding pass.

pad selects the leading-zero width (1 = none, 4 = &#x003C;, 6 = &#x00003C;, 8 = &#x0000003C;). The CVE write-up recommends probing widths 4, 6, 8 — different parser implementations diverge on how many leading zeros they tolerate.

hex selects the radix: true emits &#xHH;, false emits &#DD;. The CVE affects both — they share the regression site in libmodsecurity’s Utils::HtmlEntity::convert_2_unicode.

Bypass mechanism: see CVE-2025-27110 advisory at https://modsecurity.org/20250225/html-entity-decoding-regression-cve-2025-27110-2025-february/.

Pass 21 R67 — frontier technique #6 per the 2025 research scan.