CVE-2025-54571 MEDIUM

CVE-2025-54571: ModSecurity's Insufficient Return Value Handling can Lead to XSS and Source Code Disclosure

Vendor Owasp-Modsecurity
Product ModSecurity
Weakness CWE-252
Published August 5, 2025
Last update November 3, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

Key dates

02Disclosure timeline

August 5, 2025 CVE published
November 3, 2025 Record updated