CVE-2025-49630

CWE-617 — Reachable Assertion11 documents8 sources

Severity

7.5HIGH

EPSS

1.0%

top 22.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server

Timeline

PublishedJul 10

Latest updateAug 19

Description

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDapache/http_server2.4.26 — 2.4.64

▶CVEListV5apache_software_foundation/apache_http_server2.4.26 — 2.4.63

▶Alpineapache2< 2.4.64-r0+4

▶Debianapache2< 2.4.65-1~deb11u1+3

▶Ubuntuapache2< 2.4.18-2ubuntu3.17+esm16+2

🔴Vulnerability Details

OSV

apache2 vulnerabilities↗2025-08-19

▶

OSV

CVE-2025-49630: In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2↗2025-07-10

▶

OSV

CVE-2025-49630: In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2↗2025-07-10

▶

GHSA

GHSA-72h2-3r97-f454: In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2↗2025-07-10

▶

CVEList

Apache HTTP Server: mod_proxy_http2 denial of service↗2025-07-10

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2025-08-19

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-07-16

▶

Red Hat

httpd: mod_proxy_http2: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module↗2025-07-14

▶

Microsoft

Apache HTTP Server: mod_proxy_http2 denial of service↗2025-07-08

▶

Debian

CVE-2025-49630: apache2 - In certain proxy configurations, a denial of service attack against Apache HTTP ...↗2025

▶