Unrated severityNVD Advisory· Published Jul 10, 2025· Updated Feb 26, 2026

Apache HTTP Server: mod_ssl access control bypass with session resumption

CVE-2025-23048

Description

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Affected products

Apache/HTTP Serverllm-fuzzy
Range: 2.4.35 - 2.4.63
Apache Software Foundation/Apache HTTP Serverv5
Range: 2.4.35

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

httpd.apache.org/security/vulnerabilities_24.htmlmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000