CVE-2025-49630

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

Published: Jul 10, 2025
Updated: Jul 11, 2025
CVE: CVE-2025-49630
Exploit:

No technical information available.

CWEs:

CWE-617

Affected Software
References

Software	From	Fixed in
apache / http_server	2.4.26	2.4.64

https://httpd.apache.org/security/vulnerabilities_24.html

Vulnerability Database

CVE-2025-49630