CVE-2025-49812: In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Kurzinfo

Veroeffentlicht: 2025-07-10 00:00 UTC Importiert: 2026-05-14 20:48 UTC CVSS: 7.4 Quelle-ID: apache_httpd_sec uid_hash: 352ff67bcfa9725d518816e317de51e64f3f5b03eb16419b5d314eab993029b0
Apache HTTP Server Security (httpd.org JSON)

Verknuepfte CVEs

CVE-ID Severity (CVE.org) CVSS (CVE.org) EPSS EPSS-% Veroeffentlicht (CVE.org)

CVE-2025-49812

 HIGH 7.4 - - 2025-07-10

Quellen-Details

Bezeichnung Name Kategorie Tags Zielgruppe Sprache Feed-URL
Apache HTTP Server Security (httpd.org JSON)

apache_httpd_sec

 vendor_advisory webserver, httpd - de https://httpd.apache.org/security/vulnerabilities-httpd.json
Zurueck zur Eintrags-Liste