Fluid Attacks Database

Description

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	modsecurity-apache	=2.9.7-1 \|\| =2.9.7-1+deb12u1 \|\| >=0 <2.9.7-1+deb12u2	2.9.7-1+deb12u2
debian 11	modsecurity-apache	=2.9.3-3 \|\| =2.9.3-3+deb11u1 \|\| =2.9.3-3+deb11u2 \|\| =2.9.3-3+deb11u3 \|\| =2.9.3-3+deb11u4 \|\| >=0 <2.9.3-3+deb11u5	2.9.3-3+deb11u5
debian 13	modsecurity-apache	=2.9.11-1 \|\| >=0 <2.9.11-1+deb13u1	2.9.11-1+deb13u1
debian 14	modsecurity-apache	=2.9.11-1 \|\| >=0 <2.9.12-2	2.9.12-2
rpm rhel7	mod_security	-	-
rpm rhel8	mod_security	-	-
rpm rhel9	mod_security	-	-

Aliases

1. CVE-2025-545712. NVD-2025-545713. OSV-DEBIAN-2025-545714. OSV-2025-545715. SECURITY-TRACKER-CVE-2025-54571

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.