CVE-2025-49630

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-49630

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-49630.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-49630

Aliases

BIT-apache-2025-49630

Downstream

ALPINE-CVE-2025-49630

BELL-CVE-2025-49630

DEBIAN-CVE-2025-49630

DLA-4270-1

MINI-jm4f-mx93-wr77

OESA-2025-2076

RHSA-2025:13680

RHSA-2025:14625

RHSA-2025:14983

RHSA-2025:15123

RHSA-2025:15516

RHSA-2025:15619

RHSA-2025:15684

RHSA-2025:15698

RHSA-2025:15725

RHSA-2025:15726

RHSA-2025:15727

RLSA-2025:14625

RLSA-2025:14983

RLSA-2025:15123

SUSE-SU-2025:02565-1

UBUNTU-CVE-2025-49630

USN-7639-1

USN-7639-2

Related

Published

2025-07-10T17:15:48.050Z

Modified

2025-11-14T03:34:49.961816Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

References

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type: GIT
Repo: https://github.com/apache/httpd
Events: Introduced

3cdd2d84507d2a86eb5dab2eec96f1035bb76d6c

Fixed

7e926454793abd7d71b6afc8bd1ec1648752c6ad