oss-security - CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <2d695126-80fb-9e45-4555-bf91c2fb9ffe@apache.org>
Date: Thu, 04 Dec 2025 14:40:39 +0000
From: Eric Covener <covener@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended
 retry intervals 

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.30 before 2.4.66

Description:

An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds.

This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Credit:

Aisle Research (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-55753

Timeline:

2025-08-15: reported
2025-11-20: fixed by r1929884 in 2.4.x

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.