CVE-2025-54571
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-11-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owasp | modsecurity | From 2.0.0 (inc) to 2.9.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-252 | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in ModSecurity versions 2.9.11 and below allows an attacker to override the HTTP response's Content-Type header. This can lead to various issues depending on the HTTP scenario, including potential cross-site scripting (XSS) attacks and arbitrary script source code disclosure.
How can this vulnerability impact me? :
The vulnerability can impact you by enabling attackers to perform cross-site scripting (XSS) attacks or disclose arbitrary script source code, which can compromise the security of your web applications and potentially expose sensitive information or allow malicious code execution.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ModSecurity to version 2.9.12 or later, as this version contains the fix for the vulnerability that allows an attacker to override the HTTP response's Content-Type.