CVE-2025-23048

CWE-284 — Improper Access Control11 documents9 sources

Severity

9.1CRITICAL

EPSS

0.0%

top 90.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server

Timeline

PublishedJul 10

Latest updateJan 15

Description

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSL…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

▶NVDapache/http_server2.4.35 — 2.4.64

▶CVEListV5apache_software_foundation/apache_http_server2.4.35 — 2.4.63

▶Alpineapache2< 2.4.64-r0+4

▶Debianapache2< 2.4.65-1~deb11u1+3

🔴Vulnerability Details

OSV

CVE-2025-23048: In some mod_ssl configurations on Apache HTTP Server 2↗2025-07-10

▶

OSV

CVE-2025-23048: In some mod_ssl configurations on Apache HTTP Server 2↗2025-07-10

▶

GHSA

GHSA-gh64-76r6-qhpc: In some mod_ssl configurations on Apache HTTP Server 2↗2025-07-10

▶

CVEList

Apache HTTP Server: mod_ssl access control bypass with session resumption↗2025-07-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (Apache HTTP Server) — CVE-2025-23048↗2026-01-15

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-08-19

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-07-16

▶

Red Hat

httpd: mod_ssl: access control bypass by trusted clients is possible using TLS 1.3 session resumption↗2025-07-14

▶

Microsoft

Apache HTTP Server: mod_ssl access control bypass with session resumption↗2025-07-08

▶