CVE-2025-49812

CVE-2025-49812: Apache HTTP Server: mod_ssl TLS upgrade attack

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-287 · Improper authentication

Published July 10, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Key dates

Disclosure timeline

July 10, 2025 CVE published

November 4, 2025 Record updated