CVE-2025-31492 — Sensitive Information Exposure in MOD Auth Openidc

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

8.2HIGHNVD

EPSS

0.6%

top 31.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openidc MOD Auth Openidc

Timeline

PublishedApr 6

Latest updateApr 23

Description

mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a pr…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5openidc/mod_auth_openidc< 2.4.16.11

🔴Vulnerability Details

CVEList

mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data↗2025-04-06

▶

OSV

CVE-2025-31492: mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2↗2025-04-06

▶

📋Vendor Advisories

Ubuntu

mod_auth_openidc vulnerability↗2025-04-23

▶

Red Hat

mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data↗2025-04-06

▶

Debian

CVE-2025-31492: libapache2-mod-auth-openidc - mod_auth_openidc is an OpenID Certified authentication and authorization module ...↗2025

▶