Apache HTTP 2.4.64: RewriteCond expr always true bug
CVE-2025-54090 Published on July 23, 2025

Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-54090 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Timeline

reported

fixed in 2.4.x by r1927361 7 days later.

Weakness Type

Incorrect Check of Function Return Value

The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.


Products Associated with CVE-2025-54090

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-54090 are published in these products:

Apache HTTP Server
 
Oracle
 
Microsoft Http Server
 

Affected Versions

Apache Software Foundation Apache HTTP Server Version 2.4.64 is affected by CVE-2025-54090

Exploit Probability

EPSS
0.24%
Percentile
47.29%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.