CVE-2025-49812

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Published: Jul 10, 2025
Updated: Jul 11, 2025
CVE: CVE-2025-49812
Exploit:

No technical information available.

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
apache / http_server	-	2.4.64

https://httpd.apache.org/security/vulnerabilities_24.html

Vulnerability Database

CVE-2025-49812