{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49812", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-06-11T09:36:54.723Z", "datePublished": "2025-07-10T16:58:23.943Z", "dateUpdated": "2025-07-15T19:56:14.709Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.63", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Robert Merget (Technology Innovation Institute)"}, {"lang": "en", "type": "finder", "value": "Nurullah Erinola (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Marcel Maehren (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Lukas Knittel (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Sven Hebrok (Paderborn University)"}, {"lang": "en", "type": "finder", "value": "Marcus Brinkmann (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Juraj Somorovsky (Paderborn University)"}, {"lang": "en", "type": "finder", "value": "J\u00f6rg Schwenk (Ruhr University Bochum)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.<br><br>Only configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."}], "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-07-10T16:58:23.943Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-04-22T07:26:00.000Z", "value": "Report received"}, {"lang": "en", "time": "2025-07-07T00:00:00.000Z", "value": "2.4.x revision 1927045"}], "title": "Apache HTTP Server: mod_ssl TLS upgrade attack", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-07-11T16:05:54.218961Z", "id": "CVE-2025-49812", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T19:56:14.709Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-49812", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-11T16:05:54.218961Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-11T16:05:57.199Z"}}], "cna": {"title": "Apache HTTP Server: mod_ssl TLS upgrade attack", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Robert Merget (Technology Innovation Institute)"}, {"lang": "en", "type": "finder", "value": "Nurullah Erinola (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Marcel Maehren (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Lukas Knittel (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Sven Hebrok (Paderborn University)"}, {"lang": "en", "type": "finder", "value": "Marcus Brinkmann (Ruhr University Bochum)"}, {"lang": "en", "type": "finder", "value": "Juraj Somorovsky (Paderborn University)"}, {"lang": "en", "type": "finder", "value": "J\u00f6rg Schwenk (Ruhr University Bochum)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.63"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-22T07:26:00.000Z", "value": "Report received"}, {"lang": "en", "time": "2025-07-07T00:00:00.000Z", "value": "2.4.x revision 1927045"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.", "supportingMedia": [{"type": "text/html", "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.<br><br>Only configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-07-10T16:58:23.943Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49812", "state": "PUBLISHED", "dateUpdated": "2025-07-15T19:56:14.709Z", "dateReserved": "2025-06-11T09:36:54.723Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-07-10T16:58:23.943Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "662068A4-E8A3-4A24-80B6-F15720D57114", "versionEndExcluding": "2.4.64", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."}, {"lang": "es", "value": "En algunas configuraciones de mod_ssl en las versiones de Apache HTTP Server hasta la 2.4.63, un ataque de desincronizaci\u00f3n HTTP permite a un atacante intermediario secuestrar una sesi\u00f3n HTTP mediante una actualizaci\u00f3n de TLS. Solo se ven afectadas las configuraciones que utilizan \"SSLEngine opcional\" para habilitar las actualizaciones de TLS. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.4.64, que elimina la compatibilidad con la actualizaci\u00f3n de TLS."}], "id": "CVE-2025-49812", "lastModified": "2025-07-29T15:09:47.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-07-10T17:15:48.193", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "httpd: HTTP Session Hijack via a TLS upgrade", "id": "2374580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374580"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.", "An HTTP session hijacking flaw was found in Apache httpd. In some mod_ssl configurations on Apache HTTP Server, an HTTP desynchronization attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-49812", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "httpd:2.4/httpd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "jbcs-httpd24-httpd", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2025-07-14T07:24:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-49812\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-49812"], "statement": "Only configurations using the \\\"SSLEngine optional\\\" to enable TLS upgrades are affected.\nThis vulnerability is rated Moderate rather than Important primarily due to the narrow scope of affected configurations and preconditions required for exploitation. Specifically, it only impacts Apache HTTP Server setups where SSLEngine optional is used\u2014a rarely employed configuration that permits opportunistic TLS upgrades (also known as STARTTLS-style negotiation). For an attacker to successfully exploit this flaw, a man-in-the-middle (MitM) position is required, and the server must be using this optional TLS upgrade setup, which is uncommon and discouraged in modern secure deployments. The vulnerability arises due to HTTP desynchronization, allowing the attacker to potentially hijack sessions during the upgrade process.", "threat_severity": "Moderate"}