pub fn html_entity_zero_pad(payload: &str, pad: usize, hex: bool) -> StringExpand description
HTML entity encoding with zero-padded numeric reference — every
character becomes either &#x{:0>width$X}; (hex form) or
&#{:0>width$}; (decimal form). Leading zeros pad the number to
pad characters.
CVE-2025-27110 (libmodsecurity3 v3.0.13): the v3.0.13 release
regressed entity decoding such that any HTML numeric character
reference whose digits include leading zeros — < for <,
< for < — bypasses the decode pass entirely. The
undecoded entity reaches the WAF’s inspection buffer; pattern-match
rules anchored on the literal <, ', ", etc. never fire.
libmodsecurity 3.0.14 fixes this. Every WAF deployment still on
3.0.13 — which Snyk’s 2025 State of Open Source Security flagged
as a common version-lag profile — is bypassed by routing the
payload through this single encoding pass.
pad selects the leading-zero width (1 = none, 4 = <,
6 = <, 8 = <). The CVE write-up
recommends probing widths 4, 6, 8 — different parser
implementations diverge on how many leading zeros they tolerate.
hex selects the radix: true emits &#xHH;, false emits
&#DD;. The CVE affects both — they share the regression site
in libmodsecurity’s Utils::HtmlEntity::convert_2_unicode.
Bypass mechanism: see CVE-2025-27110 advisory at https://modsecurity.org/20250225/html-entity-decoding-regression-cve-2025-27110-2025-february/.
Pass 21 R67 — frontier technique #6 per the 2025 research scan.