CVE-2025-49630

CVE-2025-49630: Apache HTTP Server: mod_proxy_http2 denial of service

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-617

Published July 10, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

Key dates

Disclosure timeline

July 10, 2025 CVE published

November 4, 2025 Record updated