CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-49630: Apache HTTP Server: mod_proxy_http2 denial of service

Description

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

Classification

CVE ID: CVE-2025-49630

Problem Types

CWE-617 Reachable Assertion

Affected Products

Vendor: Apache Software Foundation

Product: Apache HTTP Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.02% (scored less or equal to compared to others)

EPSS Date: 2025-07-12 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-49630
https://httpd.apache.org/security/vulnerabilities_24.html

Timeline

2025-07-10 18:40:12 UTC
CVE

Apache HTTP Server: mod_proxy_http2 denial of service