CVE-2025-49812

CWE-287 — Improper Authentication10 documents8 sources

Severity

7.4HIGH

EPSS

0.1%

top 67.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server

Timeline

PublishedJul 10

Latest updateAug 19

Description

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

▶NVDapache/http_server< 2.4.64

▶CVEListV5apache_software_foundation/apache_http_server2.4.63

▶Alpineapache2< 2.4.64-r0+4

▶Debianapache2< 2.4.65-1~deb11u1+3

🔴Vulnerability Details

CVEList

Apache HTTP Server: mod_ssl TLS upgrade attack↗2025-07-10

▶

OSV

CVE-2025-49812: In some mod_ssl configurations on Apache HTTP Server versions through to 2↗2025-07-10

▶

OSV

CVE-2025-49812: In some mod_ssl configurations on Apache HTTP Server versions through to 2↗2025-07-10

▶

GHSA

GHSA-2mcx-3xj5-wg86: In some mod_ssl configurations on Apache HTTP Server versions through to 2↗2025-07-10

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2025-08-19

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-07-16

▶

Red Hat

httpd: HTTP Session Hijack via a TLS upgrade↗2025-07-14

▶

Microsoft

Apache HTTP Server: mod_ssl TLS upgrade attack↗2025-07-08

▶

Debian

CVE-2025-49812: apache2 - In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63,...↗2025

▶