CVE-2025-49630

HIGH7.5

Apache HTTP Server: mod_proxy_http2 denial of service

Published Jul 10, 2025

Modified 4 months ago

Details

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

References

WEB

http://www.openwall.com/lists/oss-security/2025/07/10/2

WEB

http://www.openwall.com/lists/oss-security/2025/07/10/7

ADVISORY

https://httpd.apache.org/security/vulnerabilities_24.html

WEB

https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2025-49630

CVSS Analysis

CVSS v3.1

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness Type (CWE)

Other

CWE-617

Ecosystems

Timeline

PublishedJul 10, 2025

ModifiedNov 4, 2025