CVE-2025-54571

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-54571
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54571.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-54571
Aliases
Downstream
Related
Published
2025-08-05T23:39:40Z
Modified
2025-11-06T01:20:58.866265Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
ModSecurity's Insufficient Return Value Handling can Lead to XSS and Source Code Disclosure
Details

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

Database specific 
{
    "cwe_ids": [
        "CWE-252"
    ]
}
References

Affected packages

Git / github.com/owasp-modsecurity/modsecurity

Affected ranges

Type
GIT
Repo
https://github.com/owasp-modsecurity/modsecurity
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8

Affected versions

v2.*

v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.9.0
v2.9.0-rc1
v2.9.0-rc2
v2.9.1
v2.9.1-rc1
v2.9.10
v2.9.11
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9

Git / github.com/spiderlabs/modsecurity

Affected ranges

Type
GIT
Repo
https://github.com/spiderlabs/modsecurity
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
18cae5003a7160792a2e96000a9d6bd07cdf7ee2

Affected versions

v2.*

v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.9.0
v2.9.0-rc1
v2.9.0-rc2
v2.9.1
v2.9.1-rc1
v2.9.10
v2.9.11
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9