Last Modified: Jun 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.5.0, 17.5.1
Opened: May 14, 2025 Severity: 3-Major
Under certain conditions, AVR will change the Content-Length header (to account for CSPM script injection) but then will not inject the actual CSPM script onto the HTTP payload
Client can stall waiting for the remaining payload which never arrives
- Option "collect-page-load-time" is enabled in the AVR profile - Sys db key "avr.cspm.inject.location" is set to a value of "after_head"
Do at least one of the following things: - On the HTTP profile, set option "response-chunking" to "rechunk" - Set sys db key "avr.cspm.inject.location" to "at_the_end" - On the AVR profile, disable option "collect-page-load-time"
None