We would like to share our take on CVE-2025-54571, which was published on August 5, 2025.
The vulnerability was reported by Orange Tsai (@orangetw). They discovered that the mod_security2 engine sends multiple responses or resource content if the request is in a special format.
The same issue had previously been reported by @pgajdos in issue (#2514) on Github, which, unfortunately, was never properly addressed.
However, the comments by @ylavic in that issue were used as a basis for the fix.
The CVE rating for this vulnerability is only moderate (6.9/10), but the update is definitely recommended, as it enables information extraction.
The issue only affects mod_security2. libmodsecurity3 and the nginx connector are not affected.
Explanation
The problem’s root cause lies in the way ModSecurity handles errors returned by a function in Apache httpd to read the request body.
In the ap_hook_fixup phase (hook_request_late in mod_security2.c), mod_security2 ignores the AP_FILTER_ERROR result, allowing the request to continue and causing two HTTP responses.
This bug only affects mod_security2, probably all versions before 2.9.12. It does not affect libmodsecurity3.
Special thanks
Beside the mentioned participants above, we would like to thank @theseion and @fzipi for their help.