chore: add blogpost for CVE-2025-54571

Author: airween

content/blog/2025-08-05-cve-2025-54571.md

@@ -0,0 +1,31 @@
+---
+title: 'Improper error handling: CVE-2025-54571 - 2025 August'
+date: '2025-08-05T00:00:00+02:00'
+author: airween
+---
+
+We would like to share our take on [CVE-2025-54571](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-54571), which was published on August 5, 2025.
+
+<!--more-->
+
+The vulnerability was reported by Orange Tsai ([@orangetw](https://github.com/orangetw)). They discovered that the mod_security2 engine sends multiple responses or resource content if the request is in a special format.
+
+The same issue had previously been reported by [@pgajdos](https://github.com/pgajdos) in [issue (#2514)](https://github.com/owasp-modsecurity/ModSecurity/issues/2514) on Github, which, unfortunately, was never properly addressed.
+
+However, the comments by [@ylavic](https://github.com/ylavic) in that issue were used as a basis for the fix.
+
+The CVE rating for this vulnerability is only moderate (6.9/10), but the update is definitely recommended, as it enables information extraction.
+
+The issue only affects mod_security2. libmodsecurity3 and the nginx connector are not affected.
+
+### Explanation
+
+The problem's root cause lies in the way ModSecurity handles errors returned by a function in Apache httpd to read the request body.
+
+In the `ap_hook_fixup` phase (`hook_request_late` in `mod_security2.c`), mod_security2 ignores the `AP_FILTER_ERROR` result, allowing the request to continue and causing two HTTP responses.
+
+This bug only affects mod_security2, probably all versions before 2.9.12. It does not affect libmodsecurity3.
+
+### Special thanks
+
+Beside the mentioned participants above, we would like to thank [@theseion](https://github.com/theseion) and [@fzipi](https://github.com/fzipi) for their help.