Unrated severityNVD Advisory· Published Aug 5, 2025· Updated Nov 3, 2025

ModSecurity's Insufficient Return Value Handling can Lead to XSS and Source Code Disclosure

CVE-2025-54571

Description

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

Affected products

Owasp Modsecurity/Modsecurityv5
Range: < 2.9.12

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/owasp-modsecurity/ModSecurity/commit/6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8mitrex_refsource_MISC
github.com/owasp-modsecurity/ModSecurity/issues/2514mitrex_refsource_MISC
github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-cg44-9m43-3f9vmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000