Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <d22efe03-5f68-b462-6b00-99935b222139@apache.org>
Date: Thu, 10 Jul 2025 17:14:08 +0000
From: Eric Covener <covener@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-49630: Apache HTTP Server: mod_proxy_http2 denial of
 service 

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.26 through 2.4.63

Description:

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

Credit:

Anthony CORSIEZ (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-49630

Timeline:

2025-06-04: Report received
2025-07-07: 2.4.x revision 1927044

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.