See the release notes:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.11
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.12
This fixes the following vulnerabilities:
- CVE-2025-52891:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before
2.9.11, an empty XML tag can cause a segmentation fault. If
SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is
application/xml, and at least one XML tag is empty (eg <foo></foo>),
then a segmentation fault occurs. This issue has been patched in
version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to
Off.
https://www.cve.org/CVERecord?id=CVE-2025-52891
- CVE-2025-54571:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below,
an attacker can override the HTTP response’s Content-Type, which could
lead to several issues depending on the HTTP scenario. For example, we
have demonstrated the potential for XSS and arbitrary script source
code disclosure in the latest version of mod_security2. This issue is
fixed in version 2.9.12.
https://www.cve.org/CVERecord?id=CVE-2025-54571
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 684462bbe8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
06c3e6444a