CVE-2025-54090

CWE-25310 documents9 sources

Severity

6.3MEDIUM

EPSS

0.3%

top 45.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Http Server Apache Http Server

Timeline

PublishedJul 23

Latest updateOct 15

Description

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages4 packages

▶NVDapache/http_server2.4.64

▶CVEListV5apache_software_foundation/apache_http_server2.4.64

▶Alpineapache2< 2.4.65-r0+4

▶Debianapache2< 2.4.65-1+1

Patches

Patch: news.ycombinator.com ↗

🔴Vulnerability Details

OSV

CVE-2025-54090: A bug in Apache HTTP Server 2↗2025-07-23

▶

GHSA

GHSA-cjqj-vhhm-xq5x: A bug in Apache HTTP Server 2↗2025-07-23

▶

CVEList

Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64↗2025-07-23

▶

OSV

CVE-2025-54090: A bug in Apache HTTP Server 2↗2025-07-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Apache HTTP Server) — CVE-2025-54090↗2025-10-15

▶

Red Hat

httpd: Apache HTTP Server logic flaw↗2025-07-23

▶

Microsoft

Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64↗2025-07-08

▶

Debian

CVE-2025-54090: apache2 - A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests e...↗2025

▶

Apache

Apache httpd: CVE-2025-54090↗

▶