Apache Httpd 2.4.35-2.4.63 mod_ssl TLS1.3 SR Access Ctrl Bypass
CVE-2025-23048 Published on July 10, 2025
Apache HTTP Server: mod_ssl access control bypass with session resumption
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.
Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
Vulnerability Analysis
CVE-2025-23048 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
reported
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-23048 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2025-23048
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-23048 are published in these products:
Affected Versions
Apache Software Foundation Apache HTTP Server:- Version 2.4.35, <= 2.4.63 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.