CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64

[Eric Covener <covener () apache org>]

Severity: moderate 

Affected versions:

- Apache HTTP Server 2.4.64

Description:

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true".



Users are recommended to upgrade to version 2.4.65, which fixes the issue.

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-54090

Timeline:

2025-07-16: reported
2025-07-23: fixed in 2.4.x by r1927361