CVE-2025-54571: 
ModSecurity vulnerability analysis and mitigation

ModSecurity, an open source cross-platform web application firewall (WAF) engine for Apache, IIS and Nginx, contains a vulnerability in versions 2.9.11 and below identified as CVE-2025-54571. The vulnerability was discovered in August 2025 and allows attackers to override the HTTP response's Content-Type, which could lead to several security issues including XSS and arbitrary script source code disclosure (GitHub Advisory).

The vulnerability stems from insufficient return value handling in ModSecurity's code. In the aphookfixup phase (hookrequestlate in modsecurity2.c), ModSecurity ignores the APFILTERERROR result, allowing the request to continue and causing two HTTP responses. When Apache HTTP Server triggers APFILTER_ERROR, it places the error message in the brigade and sets the Content-Type to text/html. The issue has been assigned a CVSS v4.0 base score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory, NVD).

The vulnerability allows attackers to override HTTP response's Content-Type, which can lead to Cross-Site Scripting (XSS) attacks and arbitrary script source code disclosure. For example, when an excessively large POST request is sent to an image file, it triggers the bug, causing the image to be processed as text/html, leading to XSS (GitHub Advisory).

The vulnerability has been fixed in ModSecurity version 2.9.12. No known workarounds are available for users who cannot immediately upgrade. Organizations using affected versions of ModSecurity should upgrade to version 2.9.12 as soon as possible (GitHub Advisory).