Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-49630

Опубликовано: 14 июл. 2025
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

An assertion failure flaw was found in Apache httpd. Untrusted clients can send inputs that trigger an assertion failure in the mod_proxy_http2 module, which likely results in an Apache HTTP server crash or denial of service (DoS).

Отчет

The vulnerability only affects Appache httpd if a reverse proxy is configured for an HTTP/2 backend, with the ProxyPreserveHost set to "on". This vulnerability is rated as Moderate because it requires a highly specific and non-default configuration to be exploitable—namely, an Apache HTTP Server acting as a reverse proxy with an HTTP/2 backend and ProxyPreserveHost set to "on". The flaw results in an assertion failure in the mod_proxy_http2 module when handling specially crafted inputs from untrusted clients. While this can lead to a denial of service via server crash, the impact is limited to availability, with no risk of remote code execution or data leakage. Additionally, the condition is recoverable through a simple restart, and there is no persistent state corruption.

Меры по смягчению последствий

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10httpdAffected
Red Hat Enterprise Linux 10mod_http2Affected
Red Hat Enterprise Linux 6httpdNot affected
Red Hat Enterprise Linux 7httpdNot affected
Red Hat Enterprise Linux 8httpd:2.4/httpdNot affected
Red Hat Enterprise Linux 8httpd:2.4/mod_http2Affected
Red Hat Enterprise Linux 9httpdAffected
Red Hat Enterprise Linux 9mod_http2Affected
Red Hat JBoss Core ServiceshttpdAffected
Red Hat JBoss Core Servicesjbcs-httpd24-httpdAffected

Показывать по

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-617
https://bugzilla.redhat.com/show_bug.cgi?id=2374578httpd: mod_proxy_http2: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module

EPSS

Процентиль: 48%
0.00249
Низкий

7.5 High

CVSS3

Связанные уязвимости

CVSS3: 7.5
ubuntu
27 дней назад

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

CVSS3: 7.5
nvd
27 дней назад

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

CVSS3: 7.5
msrc
21 день назад

Описание отсутствует

CVSS3: 7.5
debian
27 дней назад

In certain proxy configurations, a denial of service attack againstApa ...

CVSS3: 7.5
github
27 дней назад

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

EPSS

Процентиль: 48%
0.00249
Низкий

7.5 High

CVSS3

Уязвимость CVE-2025-49630