CVE-2025-23048

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Published: Jul 10, 2025
Updated: Jul 11, 2025
CVE: CVE-2025-23048
Exploit:

No technical information available.

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
apache / http_server	2.4.35	2.4.64

https://httpd.apache.org/security/vulnerabilities_24.html

Vulnerability Database

CVE-2025-23048