What is the CVSS score of CVE-2025-49630?

CVE-2025-49630 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.8%.

Which versions of Http Server are affected by CVE-2025-49630?

Apache HTTP Server versions 2.4.26-2.4.63 are vulnerable to denial of service attacks when configured as reverse proxies for HTTP/2 backends with ProxyPreserveHost enabled.. A patch is available.

Is there a public PoC exploit available for CVE-2025-49630?

Yes, a public proof-of-concept exploit is available for CVE-2025-49630. Prioritise patching immediately. EPSS: 0.8%.

How to fix or mitigate CVE-2025-49630?

Within 24 hours: Identify all Apache servers running versions 2.4.26-2.4.63 with reverse proxy and HTTP/2 backend configurations; assess exposure to untrusted client traffic. Within 7 days: Implement compensating controls (WAF rules, network segmentation, or disable ProxyPreserveHost if operationally feasible); establish incident response procedures. Within 30 days: Monitor vendor security advisories for patch availability; plan upgrade strategy to patched versions once available; test in non-production environment first.

Http Server CVE-2025-49630

EUVD-2025-21017 HIGH

Reachable Assertion (CWE-617)

2025-07-10 security@apache.org

Denial Of Service Apache Red Hat Http Server Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21017

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

CVE Published

Jul 10, 2025 - 17:15 nvd

HIGH 7.5

DescriptionNVD

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

AnalysisAI

CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.

Technical ContextAI

This vulnerability resides in mod_proxy_http2, the Apache HTTP Server module responsible for proxying HTTP/2 connections to backend servers. The root cause is classified as CWE-617 (Reachable Assertion), indicating that an assertion statement in the code can be triggered by attacker-controlled input, leading to abnormal termination. The vulnerability is specifically triggered in reverse proxy configurations where ProxyPreserveHost is set to 'on', which causes the proxy to forward the original client's Host header to the backend HTTP/2 server. The affected CPE scope includes Apache HTTP Server versions 2.4.26 through 2.4.63, encompassing approximately 38 minor versions across a 7+ year release timeline. The HTTP/2 protocol implementation in mod_proxy_http2 fails to properly validate or handle certain client-supplied requests when combined with host header preservation, resulting in a code path that triggers an unguarded assertion.

RemediationAI

patch: Upgrade Apache HTTP Server to version 2.4.64 or later, which contains the fix for the mod_proxy_http2 assertion handling; affected_versions_fixed: 2.4.64+ (Apache) workaround: If immediate patching is not feasible, disable ProxyPreserveHost by setting 'ProxyPreserveHost off' in the reverse proxy configuration, or remove HTTP/2 backend proxy rules and fall back to HTTP/1.1 for backend connections; configuration_change: ProxyPreserveHost off; risk_note: Workaround alters proxy behavior; client Host headers will not be preserved to backend, potentially breaking hostname-dependent backend services mitigation: Implement network-level access controls to restrict which clients can reach the reverse proxy, reducing attack surface while patches are deployed; deployment: WAF, firewall rules, or reverse proxy authentication monitoring: Monitor Apache error logs and process crash reports for assertion failures in mod_proxy_http2; implement alerting on unexpected httpd process restarts

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

Vendor StatusVendor

Ubuntu

Priority: Medium

apache2

Release	Status	Version
upstream	released	2.4.64-1
trusty	not-affected	-
xenial	not-affected	-
bionic	released	2.4.29-1ubuntu4.27+esm6
focal	released	2.4.41-4ubuntu3.23+esm2
jammy	released	2.4.52-1ubuntu4.15
noble	released	2.4.58-1ubuntu8.7
plucky	released	2.4.63-1ubuntu1.1

USN-7639-1 USN-7639-2

Debian

apache2

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.4.65-1~deb11u1	-
bullseye (security)	fixed	2.4.66-1~deb11u1	-
bookworm	fixed	2.4.65-1~deb12u1	-
bookworm (security)	vulnerable	2.4.62-1~deb12u2	-
trixie	fixed	2.4.66-1~deb13u2	-
forky, sid	fixed	2.4.66-8	-
(unstable)	fixed	2.4.64-1	-

DLA-4270-1

CVE-2025-49630 vulnerability details – vuln.today

Back

Http Server CVE-2025-49630

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code