CVE-2025-49630: Apache HTTP Server: mod_proxy_http2 denial of service

[Eric Covener <covener () apache org>]

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.26 through 2.4.63

Description:

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 
2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

Credit:

Anthony CORSIEZ (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-49630

Timeline:

2025-06-04: Report received
2025-07-07: 2.4.x revision 1927044