CVE-2025-49630
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-10

Last updated on: 2025-11-04

Assigner: Apache Software Foundation

Description
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-10
Last Modified
2025-11-04
Generated
2026-05-07
AI Q&A
2025-07-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49630
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache http_server From 2.4.26 (inc) to 2.4.64 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in Apache HTTP Server versions 2.4.26 through 2.4.63 when certain proxy configurations are used. Specifically, if a reverse proxy is configured for an HTTP/2 backend with ProxyPreserveHost set to "on", untrusted clients can trigger an assertion failure in the mod_proxy_http2 module, leading to a denial of service.


How can this vulnerability impact me? :

The vulnerability can cause a denial of service (DoS) condition in the affected Apache HTTP Server instances. This means that an attacker could cause the server to crash or become unavailable, disrupting services and potentially impacting availability for legitimate users.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart