CVE-2025-54571

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-54571

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54571.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-54571

Aliases

Downstream

UBUNTU-CVE-2025-54571

Related

GHSA-cg44-9m43-3f9v

Published

2025-08-06T00:15:30Z

Modified

2025-08-08T07:29:52.803182Z

Summary

[none]

Details

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

References

Affected packages

Debian:11 / modsecurity-apache

Package

Name: modsecurity-apache
Purl: pkg:deb/debian/modsecurity-apache?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.9.3-3

2.9.3-3+deb11u1

2.9.3-3+deb11u2

2.9.3-3+deb11u3

2.9.3-3+deb11u4

2.9.5-1

2.9.6-1

2.9.7-1

2.9.8-1

2.9.8-1.1

2.9.9-1

2.9.10-1

2.9.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / modsecurity-apache

Package

Name: modsecurity-apache
Purl: pkg:deb/debian/modsecurity-apache?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.9.7-1

2.9.7-1+deb12u1

2.9.8-1

2.9.8-1.1

2.9.9-1

2.9.10-1

2.9.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / modsecurity-apache

Package

Name: modsecurity-apache
Purl: pkg:deb/debian/modsecurity-apache?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.9.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/owasp-modsecurity/modsecurity

Affected ranges

Type: GIT
Repo: https://github.com/owasp-modsecurity/modsecurity
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8

Affected versions

v2.*

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.9.0

v2.9.0-rc1

v2.9.0-rc2

v2.9.1

v2.9.1-rc1

v2.9.10

v2.9.11

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v2.9.7

v2.9.8

v2.9.9