CVE-2025-49812 - Vulnerability Details - OpenCVE

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://httpd.apache.org/security/vulnerabilities_24.html

History

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics		epss `{'score': 0.00017}`

Thu, 10 Jul 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
Title		Apache HTTP Server: mod_ssl TLS upgrade attack
Weaknesses		CWE-287
References		https://httpd.apache.org/security/vulnerabilities_24.html

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2025-07-10T16:58:23.943Z

Updated: 2025-07-10T16:58:23.943Z

Reserved: 2025-06-11T09:36:54.723Z

Link: CVE-2025-49812

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-07-10T17:15:48.193

Modified: 2025-07-10T17:15:48.193

Link: CVE-2025-49812

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49812", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-06-11T09:36:54.723Z", "datePublished": "2025-07-10T16:58:23.943Z", "dateUpdated": "2025-07-10T16:58:23.943Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.63", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Robert Merget (Technology Innovation Institute)"}, {"lang": "en", "type": "finder", "value": "Nurullah Erinola (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Marcel Maehren (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Lukas Knittel (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Sven Hebrok (Paderborn University)"}, {"lang": "en", "type": "finder", "value": "Marcus Brinkmann (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Juraj Somorovsky (Paderborn University)"}, {"lang": "en", "type": "finder", "value": "J\u00f6rg Schwenk (Ruhr University Bochum)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.<br><br>Only configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."}], "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-07-10T16:58:23.943Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-04-22T07:26:00.000Z", "value": "Report received"}, {"lang": "en", "time": "2025-07-07T00:00:00.000Z", "value": "2.4.x revision 1927045"}], "title": "Apache HTTP Server: mod_ssl TLS upgrade attack", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}