Apache HTTP Server 2.4.63 & earlier mod_ssl: HTTP Desync via TLS Upgrade
CVE-2025-49812 Published on July 10, 2025
Apache HTTP Server: mod_ssl TLS upgrade attack
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.
Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
Vulnerability Analysis
CVE-2025-49812 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
Report received
2.4.x revision 1927045 76 days later.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2025-49812 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2025-49812
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-49812 are published in these products:
Affected Versions
Apache Software Foundation Apache HTTP Server:- Before and including 2.4.63 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.