CVE-2025-54571

Exploit

EPSS 0.09%
Veröffentlicht 05.08.2025 23:39:40
Zuletzt bearbeitet 03.11.2025 19:16:11
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11
and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Owasp ≫ Modsecurity Version >= 2.0.0 < 2.9.12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.253

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-252 Unchecked Return Value

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-cg44-9m43-3f9v

Vendor Advisory

Exploit

https://github.com/owasp-modsecurity/ModSecurity/issues/2514

Exploit

Issue Tracking

https://github.com/owasp-modsecurity/ModSecurity/commit/6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8

Patch

https://lists.debian.org/debian-lts-announce/2025/09/msg00008.html

https://nvd.nist.gov/vuln/detail/CVE-2025-54571

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54571

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54571

EUVD