CVE-2025-23048: Apache HTTP Server: mod_ssl access control bypass with session resumption

[Eric Covener <covener () apache org>]

Severity: moderate 

Affected versions:

- Apache HTTP Server 2.4.35 through 2.4.63

Description:

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted 
clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different 
set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a 
client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not 
enabled in either virtual host.

Credit:

Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, and Juraj Somorovsky at Paderborn University (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-23048

Timeline:

2024-11-25: reported
2025-07-07: 2.4.x revision 1927043