Medium severity6.1NVD Advisory· Published Aug 6, 2025· Updated Jun 17, 2026
CVE-2025-54571
CVE-2025-54571
Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- Range: <=2.9.11
- osv-coords7 versionspkg:bitnami/modsecuritypkg:bitnami/modsecurity2pkg:rpm/opensuse/apache2-mod_security2&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/apache2-mod_security2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7pkg:rpm/suse/apache2-mod_security2&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 2.9.12+ 6 more
- (no CPE)range: < 2.9.12
- (no CPE)range: < 2.9.12
- (no CPE)range: < 2.9.4-150400.3.12.1
- (no CPE)range: < 2.9.12-1.1
- (no CPE)range: < 2.9.4-150400.3.12.1
- (no CPE)range: < 2.9.4-150400.3.12.1
- (no CPE)range: < 2.8.0-7.12.1
- Range: < 2.9.12
Patches
Vulnerability mechanics
References
4- github.com/owasp-modsecurity/ModSecurity/commit/6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8nvdPatch
- github.com/owasp-modsecurity/ModSecurity/issues/2514nvdExploitIssue Tracking
- github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-cg44-9m43-3f9vnvdExploitVendor Advisory
- lists.debian.org/debian-lts-announce/2025/09/msg00008.htmlnvd
News mentions
0No linked articles in our index yet.