Unrated severityNVD Advisory· Published Jul 10, 2025· Updated Nov 4, 2025

Apache HTTP Server: mod_ssl TLS upgrade attack

CVE-2025-49812

Description

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Affected products

Apache/HTTP Serverllm-fuzzy
Range: <=2.4.63
Apache Software Foundation/Apache HTTP Serverv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

httpd.apache.org/security/vulnerabilities_24.htmlmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000