Last Modified: Oct 15, 2025
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2
Fixed In:
17.5.1.3, 17.1.3
Opened: Oct 27, 2024 Severity: 3-Major
Requests containing double-escaped NULL characters (e.g., %2500) trigger a violation, even when single-escaped NULL (%00) detection is desired.
May result in false positives for legitimate traffic using double-escaped characters, with no available configuration to suppress this specific violation.
Occurs when ASM is configured to detect NULL characters in query strings. There is currently no granular control to differentiate between a single encoded NULL and a double encoded NULL.
None
None
ASM treated both a single URL-encoded NULL byte and a double-encoded NULL as the same violation, always flagging both as “Escaped NULL in query string” - with no way to suppress only the double-encoded case. In this fix, an internal toggle "enforce_multiple_decoded_null" allows administrators to keep blocking the singly encoded NULL byte while allowing the twice-encoded sequence. This provides granular control on how the encoded NULL bytes are handled.