CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals

[Eric Covener <covener () apache org>]

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.30 before 2.4.66

Description:

An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in 
default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without 
delays until it succeeds.

This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.


Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Credit:

Aisle Research (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-55753

Timeline:

2025-08-15: reported
2025-11-20: fixed by r1929884 in 2.4.x