Last Modified: Sep 15, 2025
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2
Opened: Oct 27, 2024 Severity: 3-Major
Requests containing double-escaped NULL characters (e.g., %2500) trigger a violation, even when single-escaped NULL (%00) detection is desired.
May result in false positives for legitimate traffic using double-escaped characters, with no available configuration to suppress this specific violation.
Occurs when ASM is configured to detect NULL characters in query strings. There is currently no granular control to differentiate between %00 and %2500.
None
None