CVE-2025-54571 ModSecurity's Insufficient Return Value Handling can Lead to XSS and Source Code Disclosure

🗓️ 05 Aug 2025 23:39:40Reported by GitHub_MType

ModSecurity version 2.9.11 and below has XSS risk due to insufficient return value handling in HTTP response.

Reporter	Title	Published	Views	Family All 51
Tenable Nessus	Amazon Linux 2023 : mod_security, mod_security-mlogc (ALAS2023-2025-1157)	8 Sep 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : mod_security, --advisory ALAS2-2025-2981 (ALAS-2025-2981)	4 Sep 202500:00	–	nessus
Tenable Nessus	Debian dla-4294 : libapache2-mod-security2 - security update	7 Sep 202500:00	–	nessus
Tenable Nessus	Oracle HTTP Server (January 2026 CPU)	26 Jan 202600:00	–	nessus
Tenable Nessus	Oracle HTTP Server (January 2026 CPU)	26 Jan 202600:00	–	nessus
Tenable Nessus	SUSE SLES15 / openSUSE 15 Security Update : apache2-mod_security2 (SUSE-SU-2025:03422-1)	30 Sep 202500:00	–	nessus
Tenable Nessus	SUSE SLES12 Security Update : apache2-mod_security2 (SUSE-SU-2025:03423-1)	30 Sep 202500:00	–	nessus
Tenable Nessus	TencentOS Server 4: mod_security (TSSA-2025:0673)	27 Aug 202500:00	–	nessus
Tenable Nessus	Unity Linux 20.1070e Security Update: mod_security (UTSA-2025-993316)	31 Dec 202500:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2025-54571	21 Aug 202500:00	–	nessus

[
  {
    "vendor": "owasp-modsecurity",
    "product": "ModSecurity",
    "versions": [
      {
        "version": "< 2.9.12",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/owasp-modsecurity/ModSecurity/issues/2514
github	www.github.com/owasp-modsecurity/ModSecurity/commit/6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8
github	www.github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-cg44-9m43-3f9v

05 Aug 2025 23:39Current

CVSS 46.9

EPSS0.00305

CWE-252

modsecurity vulnerability xss risk return value handling code disclosure