Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-54571

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

Published

2025-08-06T00:15:30.687

Last Modified

2025-11-03T19:16:11.533

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Secondary
CWE-252
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	owasp	modsecurity	< 2.9.12	Yes

References

https://github.com/owasp-modsecurity/ModSecurity/commit/6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8 Patch ([email protected])
https://github.com/owasp-modsecurity/ModSecurity/issues/2514 Exploit, Issue Tracking ([email protected])
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-cg44-9m43-3f9v Exploit, Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2025/09/msg00008.html (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-cg44-9m43-3f9v Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)