How to fix CVE-2025-49630?

Within 24 hours: Identify all Apache servers running versions 2.4.26-2.4.63 with reverse proxy and HTTP/2 backend configurations; assess exposure to untrusted client traffic. Within 7 days: Implement compensating controls (WAF rules, network segmentation, or disable ProxyPreserveHost if operationally feasible); establish incident response procedures. Within 30 days: Monitor vendor security advisories for patch availability; plan upgrade strategy to patched versions once available; test in non-production environment first.

Is Http Server affected by CVE-2025-49630?

Apache HTTP Server versions 2.4.26-2.4.63 are vulnerable to denial of service attacks when configured as reverse proxies for HTTP/2 backends with ProxyPreserveHost enabled. Untrusted clients can trigger server crashes, disrupting availability for dependent applications and end users.

CVE-2025-49630

EUVD-2025-21017 HIGH

2025-07-10 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21017

CVE Published

Jul 10, 2025 - 17:15 nvd

HIGH 7.5

Description

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

Analysis

CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.

Technical Context

This vulnerability resides in mod_proxy_http2, the Apache HTTP Server module responsible for proxying HTTP/2 connections to backend servers. The root cause is classified as CWE-617 (Reachable Assertion), indicating that an assertion statement in the code can be triggered by attacker-controlled input, leading to abnormal termination. The vulnerability is specifically triggered in reverse proxy configurations where ProxyPreserveHost is set to 'on', which causes the proxy to forward the original client's Host header to the backend HTTP/2 server. The affected CPE scope includes Apache HTTP Server versions 2.4.26 through 2.4.63, encompassing approximately 38 minor versions across a 7+ year release timeline. The HTTP/2 protocol implementation in mod_proxy_http2 fails to properly validate or handle certain client-supplied requests when combined with host header preservation, resulting in a code path that triggers an unguarded assertion.

Affected Products

Apache HTTP Server (2.4.26 through 2.4.63 (inclusive))

Remediation

patch: Upgrade Apache HTTP Server to version 2.4.64 or later, which contains the fix for the mod_proxy_http2 assertion handling; affected_versions_fixed: 2.4.64+ (Apache) workaround: If immediate patching is not feasible, disable ProxyPreserveHost by setting 'ProxyPreserveHost off' in the reverse proxy configuration, or remove HTTP/2 backend proxy rules and fall back to HTTP/1.1 for backend connections; configuration_change: ProxyPreserveHost off; risk_note: Workaround alters proxy behavior; client Host headers will not be preserved to backend, potentially breaking hostname-dependent backend services mitigation: Implement network-level access controls to restrict which clients can reach the reverse proxy, reducing attack surface while patches are deployed; deployment: WAF, firewall rules, or reverse proxy authentication monitoring: Monitor Apache error logs and process crash reports for assertion failures in mod_proxy_http2; implement alerting on unexpected httpd process restarts

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.8

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

apache2

Release	Status	Version
upstream	released	2.4.64-1
trusty	not-affected	-
xenial	not-affected	-
bionic	released	2.4.29-1ubuntu4.27+esm6
focal	released	2.4.41-4ubuntu3.23+esm2
jammy	released	2.4.52-1ubuntu4.15
noble	released	2.4.58-1ubuntu8.7
plucky	released	2.4.63-1ubuntu1.1

USN-7639-1 USN-7639-2

Debian

apache2

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.4.65-1~deb11u1	-
bullseye (security)	fixed	2.4.66-1~deb11u1	-
bookworm	fixed	2.4.65-1~deb12u1	-
bookworm (security)	vulnerable	2.4.62-1~deb12u2	-
trixie	fixed	2.4.66-1~deb13u2	-
forky, sid	fixed	2.4.66-8	-
(unstable)	fixed	2.4.64-1	-

DLA-4270-1

CVE-2025-49630 vulnerability details – vuln.today

Back

CVE-2025-49630

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-49630

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code