oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-49812: Apache HTTP Server: mod_ssl TLS upgrade attack

From: Eric Covener <covener () apache org>
Date: Thu, 10 Jul 2025 17:14:18 +0000
Severity: moderate 

Affected versions:

- Apache HTTP Server through 2.4.63

Description:

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack 
allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to 
version 2.4.64, which removes support for TLS upgrade.

Credit:

Robert Merget (Technology Innovation Institute) (finder)
Nurullah Erinola (Ruhr University Bochum) (finder)
Marcel Maehren (Ruhr University Bochum) (finder)
Lukas Knittel (Ruhr University Bochum) (finder)
Sven Hebrok (Paderborn University) (finder)
Marcus Brinkmann (Ruhr University Bochum) (finder)
Juraj Somorovsky (Paderborn University) (finder)
Jörg Schwenk (Ruhr University Bochum) (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-49812

Timeline:

2025-04-22: Report received
2025-07-07: 2.4.x revision 1927045
Previous By Date Next
Previous By Thread Next

Current thread: