Severity: moderate
Affected versions: - Apache HTTP Server through 2.4.63 Description: In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade. Credit: Robert Merget (Technology Innovation Institute) (finder) Nurullah Erinola (Ruhr University Bochum) (finder) Marcel Maehren (Ruhr University Bochum) (finder) Lukas Knittel (Ruhr University Bochum) (finder) Sven Hebrok (Paderborn University) (finder) Marcus Brinkmann (Ruhr University Bochum) (finder) Juraj Somorovsky (Paderborn University) (finder) Jörg Schwenk (Ruhr University Bochum) (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2025-49812 Timeline: 2025-04-22: Report received 2025-07-07: 2.4.x revision 1927045 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
