CVE-2025-49812 (GCVE-0-2025-49812)

Vulnerability from cvelistv5 – Published: 2025-07-10 16:58 – Updated: 2025-11-04 21:11
VLAI
Title
Apache HTTP Server: mod_ssl TLS upgrade attack
Summary
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
Severity
7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-287 - Improper Authentication
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache HTTP Server Affected: 0 , ≤ 2.4.63 (semver)
Create a notification for this product.
Credits
Robert Merget (Technology Innovation Institute) Nurullah Erinola (Ruhr University Bochum) Marcel Maehren (Ruhr University Bochum) Lukas Knittel (Ruhr University Bochum) Sven Hebrok (Paderborn University) Marcus Brinkmann (Ruhr University Bochum) Juraj Somorovsky (Paderborn University) Jörg Schwenk (Ruhr University Bochum)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-49812",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:05:54.218961Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:14.709Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:11:18.699Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/09/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/10/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/10/9"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Merget (Technology Innovation Institute)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Nurullah Erinola (Ruhr University Bochum)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marcel Maehren (Ruhr University Bochum)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Knittel (Ruhr University Bochum)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sven Hebrok (Paderborn University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marcus Brinkmann (Ruhr University Bochum)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Juraj Somorovsky (Paderborn University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "J\u00f6rg Schwenk (Ruhr University Bochum)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\u003cbr\u003e\u003cbr\u003eOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."
            }
          ],
          "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:58:23.943Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-22T07:26:00.000Z",
          "value": "Report received"
        },
        {
          "lang": "en",
          "time": "2025-07-07T00:00:00.000Z",
          "value": "2.4.x revision 1927045"
        }
      ],
      "title": "Apache HTTP Server: mod_ssl TLS upgrade attack",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-49812",
    "datePublished": "2025-07-10T16:58:23.943Z",
    "dateReserved": "2025-06-11T09:36:54.723Z",
    "dateUpdated": "2025-11-04T21:11:18.699Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-49812",
      "date": "2026-06-04",
      "epss": "0.00455",
      "percentile": "0.6416"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-49812\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-07-10T17:15:48.193\",\"lastModified\":\"2025-11-04T22:16:18.607\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\\n\\nOnly configurations using \\\"SSLEngine optional\\\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.\"},{\"lang\":\"es\",\"value\":\"En algunas configuraciones de mod_ssl en las versiones de Apache HTTP Server hasta la 2.4.63, un ataque de desincronizaci\u00f3n HTTP permite a un atacante intermediario secuestrar una sesi\u00f3n HTTP mediante una actualizaci\u00f3n de TLS. Solo se ven afectadas las configuraciones que utilizan \\\"SSLEngine opcional\\\" para habilitar las actualizaciones de TLS. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.4.64, que elimina la compatibilidad con la actualizaci\u00f3n de TLS.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.64\",\"matchCriteriaId\":\"662068A4-E8A3-4A24-80B6-F15720D57114\"}]}]}],\"references\":[{\"url\":\"https://httpd.apache.org/security/vulnerabilities_24.html\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/07/09/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/07/10/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/07/10/9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/07/09/3\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/07/10/2\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/07/10/9\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T21:11:18.699Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49812\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-11T16:05:54.218961Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-11T16:05:57.199Z\"}}], \"cna\": {\"title\": \"Apache HTTP Server: mod_ssl TLS upgrade attack\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Robert Merget (Technology Innovation Institute)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Nurullah Erinola (Ruhr University Bochum)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Marcel Maehren (Ruhr University Bochum)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Lukas Knittel (Ruhr University Bochum)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Sven Hebrok (Paderborn University)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Marcus Brinkmann (Ruhr University Bochum)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Juraj Somorovsky (Paderborn University)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"J\\u00f6rg Schwenk (Ruhr University Bochum)\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache HTTP Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.4.63\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-04-22T07:26:00.000Z\", \"value\": \"Report received\"}, {\"lang\": \"en\", \"time\": \"2025-07-07T00:00:00.000Z\", \"value\": \"2.4.x revision 1927045\"}], \"references\": [{\"url\": \"https://httpd.apache.org/security/vulnerabilities_24.html\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\\n\\nOnly configurations using \\\"SSLEngine optional\\\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\u003cbr\u003e\u003cbr\u003eOnly configurations using \\\"SSLEngine optional\\\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287 Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-07-10T16:58:23.943Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-49812\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T21:11:18.699Z\", \"dateReserved\": \"2025-06-11T09:36:54.723Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-07-10T16:58:23.943Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.