Amazon Linux 2 Security Advisory: ALAS2-2025-2981
Advisory Released Date: 2025-09-04
Advisory Updated Date: 2025-09-04
Severity:
Medium
Issue Overview:
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response's Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12. (CVE-2025-54571)
Affected Packages:
mod_security
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update mod_security or yum update --advisory ALAS2-2025-2981 to update your system.
New Packages:
aarch64:
mod_security-2.9.12-1.amzn2.0.1.aarch64
mod_security-mlogc-2.9.12-1.amzn2.0.1.aarch64
mod_security-debuginfo-2.9.12-1.amzn2.0.1.aarch64
i686:
mod_security-2.9.12-1.amzn2.0.1.i686
mod_security-mlogc-2.9.12-1.amzn2.0.1.i686
mod_security-debuginfo-2.9.12-1.amzn2.0.1.i686
src:
mod_security-2.9.12-1.amzn2.0.1.src
x86_64:
mod_security-2.9.12-1.amzn2.0.1.x86_64
mod_security-mlogc-2.9.12-1.amzn2.0.1.x86_64
mod_security-debuginfo-2.9.12-1.amzn2.0.1.x86_64