CVE Daily

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63,...

High CVSS 7.4

Overview

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

CWE: CWE-287 Published: 2025-07-10T17:15:48.193
Risk analysis

This vulnerability is rated 🟠 HIGH.

  • CVSS: 7.4 (HIGH)
  • Detected tags: apache (tag impact: LOW)

Recommended actions:

  • Prioritize remediation based on business criticality and exposure.
  • Limit exposure and increase monitoring until fixed.

Recommended tools

Tags