Skip to main content

Http Server CVE-2025-53020

| EUVDEUVD-2025-21015 HIGH
Memory Leak (CWE-401)
2025-07-10 security@apache.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21015
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 17:15 nvd
HIGH 7.5

DescriptionCVE.org

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.

Users are recommended to upgrade to version 2.4.64, which fixes the issue.

AnalysisAI

CVE-2025-53020 is a late release of memory after effective lifetime vulnerability (use-after-free) in Apache HTTP Server versions 2.4.17 through 2.4.63 that allows unauthenticated remote attackers to cause denial of service with high availability impact. The vulnerability has a CVSS score of 7.5 (high severity) with network-accessible attack vector and low attack complexity, making it easily exploitable without authentication. Affected organizations running vulnerable Apache HTTP Server versions should prioritize upgrading to version 2.4.64 immediately.

Technical ContextAI

This vulnerability stems from CWE-401 (Missing Release of Memory after Effective Lifetime), a memory management flaw where the Apache HTTP Server fails to properly deallocate memory objects after their intended use ends. This use-after-free condition occurs during the effective processing lifetime of requests or connections handled by the web server. The affected product is Apache HTTP Server (CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*), a widely-deployed open-source web server used in mission-critical infrastructure. The flaw likely exists in core request processing, memory pooling, or connection handling routines that manage the lifecycle of internal data structures. Memory corruption resulting from use-after-free can lead to crashes, heap corruption, and potential information disclosure, though this CVE specifically manifests as a denial of service vector.

RemediationAI

IMMEDIATE ACTION: Upgrade Apache HTTP Server to version 2.4.64 or later. This is the patched version that resolves CVE-2025-53020. Organizations should: (1) Test the 2.4.64 upgrade in non-production environments first to ensure compatibility with loaded modules, custom configurations, and applications; (2) Plan a phased rollout across production systems, prioritizing internet-facing servers; (3) Implement maintenance windows or use load balancing to avoid service interruption; (4) Verify successful patch installation by confirming version output and reviewing server logs for errors. TEMPORARY MITIGATION (while patching): Deploy rate-limiting and connection throttling to reduce denial-of-service attack surface; implement WAF/IDS signatures to detect potential exploitation patterns; restrict access to the HTTP server to trusted networks if operationally feasible. Workarounds are limited due to the in-process nature of the vulnerability. Complete patching is the only reliable remediation.

CVE-2026-49975 HIGH POC
7.5 Jun 03

Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthent

CVE-2026-21962 CRITICAL
10.0 Jan 20

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthentica

CVE-2025-23048 CRITICAL POC
9.1 Jul 10

CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configura

CVE-2025-58098 HIGH POC
8.3 Dec 05

CVE-2025-58098 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

CVE-2026-8855 HIGH
8.1 May 26

Remote code execution and denial of service in IBM HTTP Server 8.5 and 9.0 affects deployments configured with TLS mutua

CVE-2026-8834 HIGH
8.0 May 26

Heap-based buffer overflow in IBM HTTP Server 8.5 and 9.0 allows an attacker already authenticated to the Administration

CVE-2025-3891 HIGH
7.5 Apr 29

A flaw was found in the mod_auth_openidc module for Apache httpd. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2026-8856 HIGH
7.7 May 26

Denial of service in IBM HTTP Server 8.5 and 9.0 allows local attackers with write access to server configuration files

CVE-2025-49630 HIGH POC
7.5 Jul 10

CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be tri

CVE-2024-42516 HIGH POC
7.5 Jul 10

HTTP response splitting vulnerability in Apache HTTP Server core allows network-based attackers without authentication t

CVE-2024-43204 HIGH
7.5 Jul 10

CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, all

CVE-2024-47252 HIGH POC
7.5 Jul 10

CVE-2024-47252 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Vendor StatusVendor

Ubuntu

Priority: Medium
apache2
Release Status Version
upstream released 2.4.64-1
jammy released 2.4.52-1ubuntu4.15
noble released 2.4.58-1ubuntu8.7
plucky released 2.4.63-1ubuntu1.1
trusty not-affected -
bionic released 2.4.29-1ubuntu4.27+esm6
focal released 2.4.41-4ubuntu3.23+esm2
xenial released 2.4.18-2ubuntu3.17+esm16

Debian

apache2
Release Status Fixed Version Urgency
bullseye fixed 2.4.65-1~deb11u1 -
bullseye (security) fixed 2.4.66-1~deb11u1 -
bookworm fixed 2.4.65-1~deb12u1 -
bookworm (security) vulnerable 2.4.62-1~deb12u2 -
trixie fixed 2.4.66-1~deb13u2 -
forky, sid fixed 2.4.66-8 -
(unstable) fixed 2.4.64-1 -

SUSE

Severity: High
Product Status
Container suse/manager/4.3/proxy-httpd:4.3.16.9.67.10 Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP4-SAPCAL-GCE Image SLES15-SP5-SAPCAL-Azure Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP5-SAPCAL-GCE Affected
Container suse/manager/5.0/x86_64/proxy-httpd:5.0.5.1.7.26.2 Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Image SLES15-SP6-SAP Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-EC2 Image SLES15-SP6-SAP-GCE Image SLES15-SP6-SAPCAL Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP6-SAPCAL-EC2 Image SLES15-SP6-SAPCAL-GCE Affected
Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:5.1.1.8.9.2 Container suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker:5.1.2.9.13.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.8.7.1 Image SLES15-SP7-SAPCAL-Azure Image SLES15-SP7-SAPCAL-EC2 Image SLES15-SP7-SAPCAL-GCE Image proxy-httpd-image Image server-image Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP6 Fixed

Share

CVE-2025-53020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy