{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53020", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-06-24T07:13:19.552Z", "datePublished": "2025-07-10T16:59:06.340Z", "dateUpdated": "2025-07-10T16:59:06.340Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.63", "status": "affected", "version": "2.4.17", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gal Bar Nahum"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.</p><p>This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.</p><p>Users are recommended to upgrade to version 2.4.64, which fixes the issue.</p>"}], "value": "Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-07-10T16:59:06.340Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-06-18T09:19:00.000Z", "value": "reported"}, {"lang": "en", "time": "2025-06-19T09:20:00.000Z", "value": "fix developed"}, {"lang": "en", "time": "2025-07-07T00:00:00.000Z", "value": "2.4.x revision 1927046"}], "title": "Apache HTTP Server: HTTP/2 DoS by Memory Increase", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes the issue."}], "id": "CVE-2025-53020", "lastModified": "2025-07-10T17:15:48.337", "metrics": {}, "published": "2025-07-10T17:15:48.337", "references": [{"source": "[email protected]", "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "httpd: Apache HTTP Server Memory Exhaustion", "id": "2379343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379343"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-401", "details": ["A memory exhaustion flaw has been discovered in the Apache HTTP server. In some instances, the Apache HTTP server fails to free memory. Given sufficient time, this may lead to the host operating system killing the web server in order to reclaim memory."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-53020", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "httpd:2.4/httpd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "httpd", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "jbcs-httpd24-httpd", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2025-07-10T16:59:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-53020\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-53020\nhttps://httpd.apache.org/security/vulnerabilities_24.html"], "threat_severity": "Moderate"}