CVE-2025-54571 | THREATINT

Description

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

PUBLISHED Reserved 2025-07-25 | Published 2025-08-05 | Updated 2025-11-03 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-252: Unchecked Return Value

Product status

< 2.9.12

affected

References

github.com/...curity/security/advisories/GHSA-cg44-9m43-3f9v exploit

lists.debian.org/debian-lts-announce/2025/09/msg00008.html

github.com/...curity/security/advisories/GHSA-cg44-9m43-3f9v

github.com/owasp-modsecurity/ModSecurity/issues/2514

github.com/...ommit/6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8

cve.org (CVE-2025-54571)

nvd.nist.gov (CVE-2025-54571)

Download JSON