EUVD-2025-21017
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
Analysis
CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.
Technical Context
This vulnerability resides in mod_proxy_http2, the Apache HTTP Server module responsible for proxying HTTP/2 connections to backend servers. The root cause is classified as CWE-617 (Reachable Assertion), indicating that an assertion statement in the code can be triggered by attacker-controlled input, leading to abnormal termination. The vulnerability is specifically triggered in reverse proxy configurations where ProxyPreserveHost is set to 'on', which causes the proxy to forward the original client's Host header to the backend HTTP/2 server. The affected CPE scope includes Apache HTTP Server versions 2.4.26 through 2.4.63, encompassing approximately 38 minor versions across a 7+ year release timeline. The HTTP/2 protocol implementation in mod_proxy_http2 fails to properly validate or handle certain client-supplied requests when combined with host header preservation, resulting in a code path that triggers an unguarded assertion.
Affected Products
Apache HTTP Server (2.4.26 through 2.4.63 (inclusive))
Remediation
patch: Upgrade Apache HTTP Server to version 2.4.64 or later, which contains the fix for the mod_proxy_http2 assertion handling; affected_versions_fixed: 2.4.64+ (Apache) workaround: If immediate patching is not feasible, disable ProxyPreserveHost by setting 'ProxyPreserveHost off' in the reverse proxy configuration, or remove HTTP/2 backend proxy rules and fall back to HTTP/1.1 for backend connections; configuration_change: ProxyPreserveHost off; risk_note: Workaround alters proxy behavior; client Host headers will not be preserved to backend, potentially breaking hostname-dependent backend services mitigation: Implement network-level access controls to restrict which clients can reach the reverse proxy, reducing attack surface while patches are deployed; deployment: WAF, firewall rules, or reverse proxy authentication monitoring: Monitor Apache error logs and process crash reports for assertion failures in mod_proxy_http2; implement alerting on unexpected httpd process restarts
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| upstream | released | 2.4.64-1 |
| trusty | not-affected | - |
| xenial | not-affected | - |
| bionic | released | 2.4.29-1ubuntu4.27+esm6 |
| focal | released | 2.4.41-4ubuntu3.23+esm2 |
| jammy | released | 2.4.52-1ubuntu4.15 |
| noble | released | 2.4.58-1ubuntu8.7 |
| plucky | released | 2.4.63-1ubuntu1.1 |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.4.65-1~deb11u1 | - |
| bullseye (security) | fixed | 2.4.66-1~deb11u1 | - |
| bookworm | fixed | 2.4.65-1~deb12u1 | - |
| bookworm (security) | vulnerable | 2.4.62-1~deb12u2 | - |
| trixie | fixed | 2.4.66-1~deb13u2 | - |
| forky, sid | fixed | 2.4.66-8 | - |
| (unstable) | fixed | 2.4.64-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today