Improper error handling: CVE-2025-54571 - 2025 August

We would like to share our take on CVE-2025-54571, which was published on August 5, 2025.

The vulnerability was reported by Orange Tsai (@orangetw). They discovered that the mod_security2 engine sends multiple responses or resource content if the request is in a special format.

The same issue had previously been reported by @pgajdos in issue (#2514) on Github, which, unfortunately, was never properly addressed.

However, the comments by @ylavic in that issue were used as a basis for the fix.

The CVE rating for this vulnerability is only moderate (6.9/10), but the update is definitely recommended, as it enables information extraction.

The issue only affects mod_security2. libmodsecurity3 and the nginx connector are not affected.

Explanation

The problem’s root cause lies in the way ModSecurity handles errors returned by a function in Apache httpd to read the request body.

In the ap_hook_fixup phase (hook_request_late in mod_security2.c), mod_security2 ignores the AP_FILTER_ERROR result, allowing the request to continue and causing two HTTP responses.

This bug only affects mod_security2, probably all versions before 2.9.12. It does not affect libmodsecurity3.

Special thanks

Beside the mentioned participants above, we would like to thank @theseion and @fzipi for their help.

Ervin Hegedus