CVE-2025-3110
Received Received - Intake

HTTP Request Smuggling in OpenVPN Access Server

Vulnerability report for CVE-2025-3110, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: OpenVPN Inc.

Description

OpenVPN Access Server 2.7.2 through 3.1.0 accepts bare line-feed sequences inside HTTP header values, allowing remote attackers to perform HTTP request smuggling when deployed behind a reverse proxy

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
openvpn access_server From 2.7.2 (inc) to 3.1.0 (inc)
openvpn access_server 3.2
openvpn access_server 3.2.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects OpenVPN Access Server versions 2.7.2 through 3.1.0. It occurs because the server accepts bare line-feed sequences inside HTTP header values. This flaw allows remote attackers to perform HTTP request smuggling attacks when the server is deployed behind a reverse proxy.

Impact Analysis

The vulnerability can allow remote attackers to perform HTTP request smuggling, which can lead to bypassing security controls, interfering with the processing of HTTP requests, and potentially gaining unauthorized access or causing denial of service. This can compromise the integrity and confidentiality of communications handled by the OpenVPN Access Server.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your OpenVPN Access Server to version 3.2 or later, as these versions include security fixes and improvements.

The Access Server 3.2 release, dated April 28, 2026, includes OpenVPN 2.7.2 with security fixes that address known vulnerabilities.

Applying the latest updates and patches from OpenVPN will help protect your system from HTTP request smuggling attacks related to this vulnerability.

Compliance Impact

The provided information does not specify how the vulnerability in OpenVPN Access Server affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-3110. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart