CVE-2025-49630

EUVD-2025-21017
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
Affected Products (NVD)
VendorProductVersion
apachehttp_server
2.4.26 ≤
𝑥
< 2.4.64
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache2
bionic
Fixed 2.4.29-1ubuntu4.27+esm6
released
focal
Fixed 2.4.41-4ubuntu3.23+esm2
released
jammy
Fixed 2.4.52-1ubuntu4.15
released
noble
Fixed 2.4.58-1ubuntu8.7
released
plucky
Fixed 2.4.63-1ubuntu1.1
released
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://httpd.apache.org/security/vulnerabilities_24.html
http://www.openwall.com/lists/oss-security/2025/07/10/2
http://www.openwall.com/lists/oss-security/2025/07/10/7
https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html