CVE-2025-54571

EUVD-2025-23662
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11
and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
owaspmodsecurity
2.0.0 ≤
𝑥
< 2.9.12
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
mod_security
Amazon Linux 2
0:2.9.12-1.amzn2.0.1
fixed
Amazon Linux 2023
0:2.9.12-1.amzn2023.0.1
fixed
mod_security-debuginfo
Amazon Linux 2
0:2.9.12-1.amzn2.0.1
fixed
Amazon Linux 2023
0:2.9.12-1.amzn2023.0.1
fixed
mod_security-debugsource
Amazon Linux 2023
0:2.9.12-1.amzn2023.0.1
fixed
mod_security-mlogc
Amazon Linux 2
0:2.9.12-1.amzn2.0.1
fixed
Amazon Linux 2023
0:2.9.12-1.amzn2023.0.1
fixed
mod_security-mlogc-debuginfo
Amazon Linux 2023
0:2.9.12-1.amzn2023.0.1
fixed