CVE-2025-49812

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-49812

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-49812.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-49812

Aliases

BIT-apache-2025-49812

Downstream

ALPINE-CVE-2025-49812

BELL-CVE-2025-49812

DEBIAN-CVE-2025-49812

DLA-4270-1

MINI-32jq-cw2q-rj9x

OESA-2025-2168

OESA-2025-2169

OESA-2025-2170

OESA-2025-2171

OESA-2025-2172

OESA-2025-2278

RHSA-2025:13680

RHSA-2025:14901

RHSA-2025:14902

RHSA-2025:14903

RHSA-2025:14997

RHSA-2025:14998

RHSA-2025:15023

RHSA-2025:15036

RHSA-2025:15095

RHSA-2025:15123

RHSA-2025:15516

RHSA-2025:15619

RHSA-2025:15684

RHSA-2025:15698

RLSA-2025:15023

RLSA-2025:15095

RLSA-2025:15123

SUSE-SU-2025:02565-1

UBUNTU-CVE-2025-49812

USN-7639-1

USN-7639-2

Related

Published

2025-07-10T17:15:48.193Z

Modified

2025-11-14T03:34:00.786711Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

References

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type: GIT
Repo: https://github.com/apache/httpd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7e926454793abd7d71b6afc8bd1ec1648752c6ad