SB2025071040 - Multiple vulnerabilities in Apache HTTP Server
Published: July 10, 2025 Updated: January 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Resource management error (CVE-ID: CVE-2025-53020)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the server when handling HTTP/2 requests. A remote attacker can send multiple requests to the server and perform a denial of service (DoS) attack.
2) Cryptographic issues (CVE-ID: CVE-2025-49812)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to he way certain mod_ssl configurations handle TLS upgrades. A remote attacker can launch an HTTP desynchronisation attack, which allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.
Note, only configurations using "SSLEngine optional" to enable TLS upgrades are affected.
3) Resource management error (CVE-ID: CVE-2025-49630)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources in mod_proxy_http2. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that the reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
4) Security features bypass (CVE-ID: CVE-2025-23048)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to access control bypass with session resumption in mod_ssl. A remote attacker can use the TLS 1.3 session resumption to bypass implemented access control.
Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
5) Improper Encoding or Escaping of Output (CVE-ID: CVE-2024-47252)
The vulnerability allows a remote attacker to manipulate data in log files.
The vulnerability exists due to improper input validation in mod_ssl. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files. A remote attacker can manipulate contents of log files.
6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-43394)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling UNC paths on Windows. A remote attacker can trick the application into initiating requests to arbitrary systems and potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input.
Note, the vulnerability affects Windows installations only.
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-43204)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in mod_proxy . A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Note, the vulnerability exploitation requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.
8) HTTP response splitting (CVE-ID: CVE-2024-42516)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correctly process CRLF character sequences. A remote attacker with ability to manipulate the Content-Type response headers of applications hosted or proxied by the server can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
Note, this vulnerability exists due a missing fix for #VU88151 (CVE-2023-38709).
Remediation
Install update from vendor's website.
References
- https://downloads.apache.org/httpd/CHANGES_2.4
- https://lists.apache.org/thread/807pljcx225ompnovcbfrnv7xwl546lh
- https://lists.apache.org/thread/4m0spjgwshl473c2hhgm3nop2d5lvs9q
- https://lists.apache.org/thread/5z41bbglxwwh8tqkctc1w1nqolm1jc8x
- https://lists.apache.org/thread/xdzb3wztgfr8hk8r725tvv2hm8zj8dnr
- https://lists.apache.org/thread/vsktddqb8rgxskc5zc182nl2p12j0b2x
- https://lists.apache.org/thread/n6m3wggn19jn9g5wjj8v9x5yvm014sdf
- https://lists.apache.org/thread/tfrrff6k2p5tqg1ht6lxcgjy8564y952
- https://lists.apache.org/thread/hzhlotv6opq1rmgdctcn5nwnmynsyr58