CVE-2025-49812: Apache HTTP Server: mod_ssl TLS upgrade attack

Eric Covener <covener@xxxxxxxxxx> · Thu, 10 Jul 2025 17:14:18 +0000

Severity: moderate 

Affected versions:

- Apache HTTP Server through 2.4.63

Description:

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Credit:

Robert Merget (Technology Innovation Institute) (finder)
Nurullah Erinola (Ruhr University Bochum) (finder)
Marcel Maehren (Ruhr University Bochum) (finder)
Lukas Knittel (Ruhr University Bochum) (finder)
Sven Hebrok (Paderborn University) (finder)
Marcus Brinkmann (Ruhr University Bochum) (finder)
Juraj Somorovsky (Paderborn University) (finder)
Jörg Schwenk (Ruhr University Bochum) (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-49812

Timeline:

2025-04-22: Report received
2025-07-07: 2.4.x revision 1927045

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx